←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 6 comments | 26 Jul 23 11:30 UTC | HN request time: 0.462s | source | bottom
1. swayvil ◴[26 Jul 23 18:56 UTC] No.36883023[source]
Why does everything need to be secure now?

I can understand shopping. And reporters of hot news. But why everything?

Why does my http site, which has nothing important on it at all, get flagged by chrome as "insecure"?

This strikes me as a bunch of bs.

replies(4): >>36883301 #>>36885631 #>>36886011 #>>36886406 #
2. nobody9999 ◴[26 Jul 23 19:12 UTC] No.36883301[source]
>Why does everything need to be secure now?

>I can understand shopping. And reporters of hot news. But why everything?

So Google can capture more ad revenue by refusing to "attest" clients who run ad blockers?

And so other attestors can dictate the "approved" software that can be used.

What could go wrong? /s

3. RodgerTheGreat ◴[26 Jul 23 21:51 UTC] No.36885631[source]
The usual argument is that vanilla HTTP makes it possible for a man-in-the-middle (your ISP, presumably?) to tamper with data payloads before they're delivered.

Requiring HTTPS means you require clients to have up-to-date TLS certificates and implementations. This provides a ratchet that slowly makes it harder and harder to use old computers and old software to access the web. Forced obsolescence and churn is highly desirable for anybody who controls the new standards, including Google.

replies(1): >>36886029 #
4. Vecr ◴[26 Jul 23 22:22 UTC] No.36886011[source]
It's insecure because someone on path (or actually off-path but harder) could replace the contents of your website with whatever they want, including taking payments "on your behalf" and then just pocketing them. The main original point of HTTPS, and why I assume it does not use starttls or similar, is so people in the late 1990s and early 2000s could figure out what websites they were allowed to put their credit card numbers into.
5. Vecr ◴[26 Jul 23 22:23 UTC] No.36886029[source]
You can run TLS stacks that work with modern websites on old devices, it's just not really that secure, see https://www.dialup.net/wingpt/tls.html for running "Modern TLS/SSL on 16-bit Windows"
6. cesarb ◴[26 Jul 23 23:08 UTC] No.36886406[source]
> Why does my http site, which has nothing important on it at all, get flagged by chrome as "insecure"?

Because an attacker can inject JavaScript code on it, and use it to attack other sites. The most famous example of that is "Great Cannon", which used a MITM attack on http sites to inject JavaScript code which did a distributed denial of service attack on GitHub. Other possibilities include injecting code which uses a browser vulnerability to install malware on the computer of whoever accesses your site (a "watering hole" attack), without having to invade your site first.