Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
hdjrudni 6 days ago

Even if it's "legit", it shouldn't be using unencrypted HTTP.

sam_lowry_ 6 days ago | parent [-]

Why? Should it use the dict protocol, then?

mattmanser 6 days ago | parent | next [-]

Because without HTTPS it's trivial to MITM that clipboard content if they're always sending it via http.

People in your coffee shop on the same WiFi could read it.

I get some people don't realize that's how TCP/IP works and the firesheep stuff all happened 15 years ago. But a bit worrying to see a frequent HN contributor challenging that.

That's why we now push for Https everywhere.

charcircuit 5 days ago | parent | next [-]

>People in your coffee shop on the same WiFi could read it.

WEP has been deprecated for over 2 decades.

kstrauser 5 days ago | parent | next [-]

That has no effect on the owner of a malicious access point. HTTP over WPA2 is plaintext again the moment the AP decrypts it.

ants_everywhere 5 days ago | parent | prev | next [-]

you may be surprised at the number of unsecured WiFi networks there are.

I see them in 2025 in captive portals, public libraries, and when traveling abroad.

zamadatix 5 days ago | parent | prev | next [-]

Not all guest Wi-Fi uses a PSK. In general, assuming all networks will already be encrypted along each hop to the server is a losing assumption for users.

5 days ago | parent | prev [-]
[deleted]
__MatrixMan__ 5 days ago | parent | prev [-]

Https everywhere is a good start, it keeps the other plebs at the coffee shop out of your business. But it's still open to anyone with enough power to coerce a CA, which is the more concerning sort of adversary anyhow. So yes, https everywhere, but let's not stop there.

dannyw 5 days ago | parent [-]

Yes, but we have widely deployed efforts like certificate transparency, and cert pinning.

The first makes such attacks widely known events, browsers report by default, and it s provable. It’s very rare.

The second allows apps to only trust specific certs or CAs, ignoring system root of trust.

I just want to clarify HTTPS in practice is quite secure.

__MatrixMan__ 5 days ago | parent [-]

I'll not let go of my distaste for roots of trust in any form, but you likely have a point. I'll have to learn more about this transparency thing.

rootnod3 6 days ago | parent | prev [-]

How about HTTPS?