| ▲ | tomtomtom777 5 hours ago |
| Please use HTTPS. I use HTTPS only. I don't think HTTP is acceptable for anyone let alone a technical blog post. It takes a few minutes, and it prevents me and all your visitors from getting all kinds of MITM injections. Thanks. |
|
| ▲ | Fwirt 5 hours ago | parent | next [-] |
| It also prevents all kinds of clients who (for various reasons) can't implement SSL from visiting your website. I'm sure this is a "small web" blog, whose author wants to be visited by e.g. a Commodore 64, an OS 9 iMac, or somebody who just wants to telnet in. If the sensitivity of the information on this page was critical or you were going to be submitting information then by all means yes, SSL is important, but if you're going to be reading a personal blog about calendars then http is probably fine. Of course the ideal solution is offering both and letting the client choose. |
|
| ▲ | voidfunc 5 hours ago | parent | prev | next [-] |
| MITM attack on a read-only text webpage... okay. More annoying is the slightly shiny/shaded text that is supposed to highlight something. Who chose this style palette? |
| |
| ▲ | Aesthetikx 5 hours ago | parent | next [-] | | Haha this is my blog -- its pretty new. I agree it's readability is less than ideal -- going to change it at some point. HTTPS as well probably at some point. Its been an experiment for me doing everything by hand. The entire blog is a large single Rakefile using Markaby :) | | |
| ▲ | zzo38computer 4 hours ago | parent | next [-] | | Even just disabling CSS makes it readable. For HTTPS, I think that (like someone else mentioned) it should be made optional (at least for read-only access to public files) rather than mandatory. | |
| ▲ | lentil_soup 4 hours ago | parent | prev | next [-] | | for what is worth, I actually liked the shaded links, they made me smile :) | |
| ▲ | himata4113 4 hours ago | parent | prev [-] | | check out certbot + install certbot renew into crontab. Get the python3 variant the "native" package is outdated and removed from newer systems. |
| |
| ▲ | foobiekr 3 hours ago | parent | prev [-] | | It’s html. Which is code that your browser executes. Millions of routers are compromised. BGP attacks happen. Anything http stands out as an interesting target for injection. This position is foolish. It’s not a major ask to enable https. | | |
| ▲ | themafia 2 hours ago | parent [-] | | The browser still has to execute code over HTTPS. You've just moved the injection perimeter from inside my own network into the providers website. I don't think you've fundamentally changed your level of risk unless you spend a huge amount of time browsing on shared password WPA protected wifi networks. You cannot browse to sites under any regime and execute code while expecting security to exist. |
|
|
|
| ▲ | pc86 3 hours ago | parent | prev | next [-] |
| Man I really hope this doesn't get autoflagged because people need to see that this is an opinion people actually have, and what the (justified) reaction to it is. HTTPS on a blog does nothing. It doesn't protect you from anything. I guarantee you're not getting "all kinds of MITM injections" on this block of text. The only reasonable desire I can think of for "HTTPS everywhere" is hiding the content from your ISP but a) they still see the URL so they can get the content if they want it, and b) if you're so worried about that, use a VPN which coincidentally is even better because it will also hide the URL, and most importantly c) it puts the onus on you, the person who wants the thing, instead of hundreds or thousands or tens of thousands of text-only website owners who rightly couldn't care less about HTTPS. |
| |
| ▲ | foobiekr 3 hours ago | parent | next [-] | | >I guarantee you're not getting "all kinds of MITM injections" on this block of text You actually can’t guarantee anything of the sort. BGP hijacks are real. | |
| ▲ | rnhmjoj 2 hours ago | parent | prev [-] | | > they still see the URL so they can get the content if they want it That's incorrect, a MitM can only reveal the server hostname by inspecting the SNI during the TLS handshake, but the HTTP request, including the URL and headers, is encrypted. | | |
| ▲ | pc86 an hour ago | parent [-] | | Surely your ISP can see every URL you visit if they have a reason to? They're routing the traffic. | | |
| ▲ | rnhmjoj an hour ago | parent | next [-] | | No they can't. They obviously know the IP addresses, but that's not terribly useful since everything is behind a cloudflare proxy nowadays. The server hostname may provide some more information, if the server doesn't support ECH [1], but the full URL is encrypted. https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt... | |
| ▲ | NetMageSCW an hour ago | parent | prev [-] | | Routing only shows the server IP address, which isn’t very useful if it is AWS or Azure or CloudFlare or some other CDN. |
|
|
|
|
| ▲ | himata4113 5 hours ago | parent | prev | next [-] |
| I think you would have a better argument if you said something like: "I don't want my ISP knowing about the content I read" or something along those lines. MITM for a text download is like saying we have to have https for dns (yes DoH exists now), but the point still stands. You aren't sending any sensitive data to the website, MITM is unlikely. |
| |
| ▲ | brewmarche 5 hours ago | parent | next [-] | | Without HTTPS someone could alter the content, spread false information, inject ads, malware, and other stuff, redirect to some other site, … (This is a general remark, but it goes for a blog post like this as well.) | | |
| ▲ | himata4113 4 hours ago | parent | next [-] | | It's still a weak argument since it's extremely rare in practice that's why I suggested blaming the ISP instead since ISP's are the ones that have historically tampered with http content. | | |
| ▲ | foobiekr 3 hours ago | parent [-] | | Attacks in general are all rare in practice in the grand scheme of the internet. So? | | |
| ▲ | himata4113 2 hours ago | parent [-] | | Yes, that's why you present a better argument, that's the entire conversation. |
|
| |
| ▲ | Joker_vD 4 hours ago | parent | prev [-] | | The site owners could do all of that even with HTTPS, and no-one would revoke their certs. Just saying. And the best Windows malware is actually digitally signed. |
| |
| ▲ | OkayPhysicist 3 hours ago | parent | prev [-] | | Without HTTPS, every link in the chain between me and your website is a potential attack vector. Maybe I trust my ISP, but do I trust my buddy's cheapo router? What about the shadowy cabal that offers airport wifi? With static webpages, the concern isn't someone snooping in on what I'm reading. It's someone injecting content, probably malware, into the page. Let's say I have a zero-click exploit for Chrome. What can I do with it? If I just stick it on a page I control, best I can hope for is spamming it all over the web and hoping someone clicks on it. Probably not a lot of impact before it gets patched. If instead, I can wait until some router firmware gets pwned, or an ISP, I can do a mass attack where I make all the vulnerable routers inject my exploit into all non-HTTPS web requests. Much greater exposure. | | |
| ▲ | butlike 2 hours ago | parent [-] | | Just as a reminder, this was standard before SSL/TLS. Every webpage was http-only. |
|
|
|
| ▲ | hamdingers 4 hours ago | parent | prev [-] |
| Surprised this is downvoted. Chrome forces me to click through a warning to even visit HTTP sites nowadays. |
| |
| ▲ | stronglikedan 3 hours ago | parent | next [-] | | It only does that for me if there's an HTTPS option available but it's expired or not configured correctly. Chrome let me right into this site without that warning. | | | |
| ▲ | LtWorf 3 hours ago | parent | prev [-] | | Yup, very secure. Then every single IT department installs a cert on the machines to MITM everything. | | |
| ▲ | hamdingers 3 hours ago | parent [-] | | I have no idea what you're trying to say, there's no IT department managing my laptop and none of the IT departments I've worked in or with "MITM everything." Do you want to try again? | | |
| ▲ | pc86 3 hours ago | parent [-] | | On the flip side, every company I've ever worked for has installed trusted company certs on their computers and do MITM everything. | | |
| ▲ | Joker_vD 3 hours ago | parent [-] | | Yep. You apparently need HTTPS for intranet resources too, or you can't develop/use web-apps in Chrome, and since no self-respecting CA would certify your localhost, internal homegrown CA it is, baby — and given the web runs on the lovely model "any CA can attest any website; okay, maybe CAA is not a bad idea"... | | |
| ▲ | NoahZuniga an hour ago | parent [-] | | Even with CAA records, any CA can still create a cert for any website. So if you're worried about an untrustworthy CA, then this won't help you. It could make it less likely for a CA with buggy code to accidentally issue a cert for your domain. |
|
|
|
|
|
