Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
bigstrat2003 2 days ago

There's no good reason to serve a blog over TLS. You're not handling sensitive data, so unencrypted is just fine.

foobiekr 2 days ago | parent | next [-]

The reason is to prevent your site from becoming a watering hole where malicious actors use it to inject malware into the browsers of your users.

TLS isn't for you, it's for your readers.

dijit a day ago | parent | next [-]

but like, who’s doing that?

Maybe the answer is disabling the JS runtime on non-TLS sites, maybe that has the added benefit of making the web (documents and “posters”) light again.

SMS is unencrypted, phone calls are unencrypted- yet we don’t worry nearly as much about people injecting content or modifying things. Because we trust out providers, largely, but the capability 100% exists for that; with no actual recourse. With browsing the internet we do have recourse- optionally use a VPN.

All of this security theatre is just moving the trust around, I would much rather make laws that protect the integrity of traffic sent via ISPs than add to the computational waste from military grade encrypting the local menu for the pizza shop.

Worse still, the pizza shop won’t go through the effort so they either won’t bother having a website or will put it on facebook or some other crazy centralised platform.

I’ll tell you something, I trust my ISP (Bahnhof- famous for protecting thepiratebay) a lot more than I trust Facebook not to do weird moderation activities.

GoblinSlayer a day ago | parent | prev [-]

Ads will inject it anyway.

nssnsjsjsjs a day ago | parent [-]

If there are ads.

cAtte_ 2 days ago | parent | prev | next [-]

relevant blog post and HN discussion: https://news.ycombinator.com/item?id=22146291

throw0101b 2 days ago | parent | prev | next [-]

> You're not handling sensitive data, so unencrypted is just fine.

Except when an adversary MITMs your site and injects an attack to one of your readers:

* https://www.infoworld.com/article/2188091/uk-spy-agency-uses...

Further: tapping glass is a thing, and if the only traffic that is encrypted is the "important" or "sensitive" stuff, then it sticks out in the flow, and so attackers know to focus just on that. If all traffic is encrypted, then it's much harder for attackers to figure out what is important and what is not.

So by encrypting your "unimportant" data you add more noise that has to be sifted through.

2 days ago | parent | prev [-]
[deleted]