Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tryauuum 8 hours ago

I'd rather have some expired cert than http

I saw once my ISP injecting javascript ads into http traffic and the horror is with me forever

miladyincontrol 7 hours ago | parent | next [-]

Agree strongly. An expired cert is better than no cert.

Also would argue maintenance is only as complicated as you make it for yourself. Countless people keep patched, secure, https web servers running with minimal effort. If its somehow effort, introspect some on why you are somehow making so much work for yourself.

pocksuppet 4 hours ago | parent | next [-]

That's no use when your automated registrar stops working in 3 years because it went out of business or changed protocols. Let's Encrypt has been an outlier.

superkuh 6 hours ago | parent | prev [-]

Might be a bit of each of us touching different ends of the elephant. To be clear I am talking about long timespans. Lets Encrypt hasn't even existed for a full decade yet. During that time it's dropped support entirely for the original acme protocol. During that time it's root certs have expired at least twice (only those I remember where it caused issues in older software). And that's ignoring the churn in acme/acme2 clients and specific OS/Distro cert choice issues and browser CA issues. Saying that there's no trouble with HTTPS must be coming from experiences on short timescales (ie, a few years).

HTTP/3 already doesn't allow anything but CA TLS only. It won't be too long before they no longer allow you to click through CA TLS warnings.

If human people want things to be on the web for long time periods those things should be served HTTP+HTTPS.

Ferret7446 6 hours ago | parent [-]

If you can't keep your site's certs working, I don't have much faith you can keep your server working. Maintenance is required in the face of entropy

Telaneo 5 hours ago | parent | prev | next [-]

On the one hand, I agree with you given that state of the world.

On the other hand, that state of the world shouldn't exist. It's incredible to me that it's not illegal.

userbinator 3 hours ago | parent | prev | next [-]

That's when you connect the VPN...

TZubiri 5 hours ago | parent | prev [-]

I thought that was a one time thing in a 3rd world country blown out of proportion into myth status.

Would you mind sharing what ISP it was and what time period this was in?

fushihara 4 hours ago | parent | next [-]

I’m not sure whether this applies globally, but in Japan, around 2015, some mobile carriers deployed a “traffic optimization” feature that would lossily compress images in transit.

On the platforms of NTT Docomo and KDDI (au), users could opt out of this behavior. However, with SoftBank, it could not be disabled, which led to controversy.

As you might expect, this caused issues—since the image data was modified, the hash values changed. As a result, some game apps detected downloaded image files as corrupted and failed to load them properly.

Needless to say, this was effectively a man-in-the-middle attack, so it did not work over HTTPS.

Within a couple of years, the feature seems to have been quietly discontinued.

There were also concerns that this might violate the secrecy of communications, but at least the government authorities responsible for telecommunications did not take any concrete action against it.

There is a Japanese Wikipedia article about this: https://ja.wikipedia.org/wiki/%E9%80%9A%E4%BF%A1%E3%81%AE%E6...

TZubiri 4 hours ago | parent [-]

This event sounds much more realistic/common, the motivation of an ISP to save bandwidth costs is much more likely/frequent than the motivation of an ISP to monetize through ads (in addition to monthly service fees).

pixl97 5 hours ago | parent | prev | next [-]

Where as my ISP did not put in ads, they did inject messages such as maintenance was going to occur and did things like redirect bad dns to their own search.

Also ISPs were monitoring and selling browsing data years ago.

rcakebread 5 hours ago | parent | prev | next [-]

Comcast / Xfinity in the U.S., for example:

https://www.reddit.com/r/technology/comments/9b5ikd/comcastx...

offmycloud an hour ago | parent | prev | next [-]

Cox Communications used to do it in California to inject JS into sites. I remember seeing little Cox popup/toast messages in the corner of other sites.

tryauuum 5 hours ago | parent | prev [-]

it was some mobile ISP in Russia. Maybe 6 or 8 years ago