←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 1 comments | 26 Jul 23 11:30 UTC | HN request time: 0s | source
Show context
swayvil ◴[26 Jul 23 18:56 UTC] No.36883023[source]
Why does everything need to be secure now?

I can understand shopping. And reporters of hot news. But why everything?

Why does my http site, which has nothing important on it at all, get flagged by chrome as "insecure"?

This strikes me as a bunch of bs.

replies(4): >>36883301 #>>36885631 #>>36886011 #>>36886406 #
RodgerTheGreat ◴[26 Jul 23 21:51 UTC] No.36885631[source]
The usual argument is that vanilla HTTP makes it possible for a man-in-the-middle (your ISP, presumably?) to tamper with data payloads before they're delivered.

Requiring HTTPS means you require clients to have up-to-date TLS certificates and implementations. This provides a ratchet that slowly makes it harder and harder to use old computers and old software to access the web. Forced obsolescence and churn is highly desirable for anybody who controls the new standards, including Google.

replies(1): >>36886029 #
1. Vecr ◴[26 Jul 23 22:23 UTC] No.36886029[source]
You can run TLS stacks that work with modern websites on old devices, it's just not really that secure, see https://www.dialup.net/wingpt/tls.html for running "Modern TLS/SSL on 16-bit Windows"