It feels like just yesterday I was paying for certs, or worst, just running without.
Can't believe its been ten years.
replies(1):
Can't believe its been ten years.
The lack of understanding from us as technologists for people who would have had a working site and are now forced into either: an oligopoly of site hosting companies, or, for their site to break consistently as TLS standards rotate is one thing that brings me shame about our community.
You can come up with all kinds of reasons to gatekeep website hosting, “they have to update anyway” even when updating means reinstallion of an OS, “its not that hard to rotate” say people with deep knowledge of computers, “just get someone else to do it” say people who have a financial interest in it being that way.
Framing people with legitimate issues as weirdo’s is not as charming as you think it is.
Also the Kebap Shop probably has a form for reservation or ordering, which takes personal information.
True, they are all low risk things, but getting TLS is trivial (since many Webservers etc can do letsencrypt rotation fully automatically) and secure defaults are a good thing.
There is regulation, like mandatory yearly inspections and anyone is only allowed to sell road worthy vehicles. These rules are rather strict, likewise for the driver's license. They aren't impossible to know or understand, but there's a lot of details.
However, when I take it to the shop, whether for that yearly inspection, regular maintenance, or because there's something apparently wrong with it, I never know what to expect in terms of time and money.
Oh, it needs a new thingamajig? I start to mildly sweat, fearing it to cost six hundred like the flux capacitor that had to be replaced last week/month/year and took two weeks to get shipped from another country. "Ninety cents, and we put it in place for no charge, it literally takes ten seconds", like, I love to hear the news, could have saved me from the anguish by giving a hint when I asked about the price! But need a new key? Starting from three hundred fifty, plus one hundred seventy for a backup copy. Like, where do these prices come from? Actually, don't tell me, I'm a software engineer. I know, I know.
I'll just wait until you want your car shop web pages up. Oh, for that you'll need PCI DSS and we can't do that other things because of GDPR. Sorry, my hands are tied here. That'll be four thousand plus tax, mister auto mechanic shop owner.
Safe transfer should be the default.
Your argument is akin to "I don't have anything to hide."
You just do it and don't think about it. Modern servers and services make this completely transparent.
The kebab guy doesn't need to worry about this as long as they're not fooled into buying from mala fide hosting companies who tries to upsell you on something that should be the baseline.
They’ve nearly all been lost to time now though, if a shop has a web-presence it will be through a provider such as “bokabord”, doordash, ubereats (as mentioned), some of whom charge up to 30% of anything booked/ordered via the web.
But, I guess no MITM can manipulate prices… except, by charging…
There are more than enough forgotten kebab shop restaurant pages that are now serving malware because they never updated WordPress that an out of date certificate warning is a very good "heads up, this site hasn't been maintained in 6 years"
If we're talking hosting even a static HTML file without using a site hosting company, that already requires so much technical knowledge (Domain purchasing, DNS, purchasing a static IP from your ISP, server software which again requires vuln updates) that said person will be able to update a TLS cert without any issue.
If you care about the integrity of the conveyed information you need TLS. If you don't, you wouldn't have published a website in the first place.
A while back I've seen a wordpress site for a podcast without https where people also argued it doesn't need it. They had banking information for donations on that site.
Sometimes I wish every party involved in transporting packets on the internet would just mangle all unencrypted http that they see, if only to make a point...
However, if you already have bought a domain name, the cost of setting up TLS is basically 0. You just run certbot and give it the domains you want to license. It will set up auto-renew and even edit your Apache/NGINX configs to enable TLS.
Sure, TLS standards rotate. But that just means you have to update Apache/NGINX every like 5 years. Hardly a barrier for most people imo.
certbot is a python program, better hope it keeps working- it’s definitely not kept working for me and I’m a seasoned sysadmin. a combination of my python environment becoming outdated (making updates impossible) and a deprecation of a critical API needed for it to work.
The #1 cause of issues with a hobby website: darkscience.net is that it refuses to negotiate on Chrome because the TLS suites are considered too old, yet in 2020 I was scoring A+ on Qualys SSL report.
Its just time, time and effort and its wasted mostly.
The letsencrypt tools are really wonderful, just pray they don’t break, and be ready to reinstall everything from scratch at some point.
certbot is not even close to the pinnacle of easy TLS setup. Using an HTTP server that fully integrates ACME and tls-alpn-01 is much nicer: tell your server what domain you use, and it automatically obtains a certificate.
There is also https://github.com/srvrco/getssl which is a bash script. I have lightly audited it years ago and it did not seem to upload your private keys anywhere... I've used it occasionally, but I don't let it run as root, so I need to copy the retrieved certs into the the server config manually.
While we might be able to find common ground in the statement that "safe transfer should be the default", we will differ on the definition of "safe".
Unfortunately these discussions often end up in techno-babble. Especially here on HN were we tend to enjoy rather binary viewpoints without too many shades of gray.
Try being your own devils advocate: "What if I have something to hide?".
Then deal with that. Legitimately. Reasonably. Unless you are an anarkist I assume that we can agree that we need authoraties. A legal framework. Policing.
So I 100% support Let's Encrypt and what they have done to destroy the certificate racket. That is a force of good!
But I do not think it was a healthy thing that the browsers (and Google search results) "forced" the world defacto to TLS only.
Why? Look at the list of Trusted Root Certificates in the big OS and browsers. You are telling me only good guys are listed? None here are or can be influenced by state actors?
But that is the good kind of MITM? This then hinges on your definition of "safe transport". Only the anarkist can win against the government. I am not.
It might sound like I am in the "I do not have anything to hide" camp. I am not that naive. But I am firmly in the "I prefer more scrutiny when I have something to hide". Because the measures the authorities needs to employ today are too draconian for my liking.
I preferred the risk of MITM on an ISP level to what the authoraties need to do now to stay in control. We have not eliminated MITM. Just made it harder. And we forgot to discuss legitimate reasons for MITM because "bad".
This is not a "technical" discussion on the fine details of TLS or not. But should be a discussion about the societal changes this causes. We need locks to keep the creeps out but still wants the police to gain access. The current system does not enable that in a healthy way but rather erodes trust.
Us binary people can define clear simple technical solutions. But the rest of the world is quite messy. And us bit twiddlers tend to shy away from that and then ignore the push-back to our actions.
We cannot have a sober conversation unless we depart from the "encrypt everything" is technically good and then that is set in stone. But here we are: Writing off arguments as irrelevant.
Larger point is regarding the fact that its required for what amounts to a poster on a wall: yes, someone can come along with a pen an alter the poster- but its not worth the effort to secure for most people and will degrade rapidly with such security too.
So, instead they turn to middlemen, or don’t bother.
Theres a myriad of other issues, but, its not as easy as we claim.
The cryptography community would have you believe that the only solution to getting scammed is encryption. It isn't.
Like, "telnet textfiles.com 80" then "GET / HTTP/1.0", <enter>, "Location: textfile.com" <enter><enter> and you have the page.
What would be the point of making these unencrypted sites disappear?
[citation needed]
There are plenty of organizations that actively scan the web for "malware" (aka anything that the almighty machine learning algorithms don't like) and are more than happy to harass the website owner and hosting company until their demands are met.
Security is ultimately a social issue. Technical means are only one way to improve it and can never solve it 100%. You must never loose sight of the cost imposed by tecnological security solutions versus what improvement they actually offer.
You could try out acme.sh that's written purely in shell. It's extremely capable and supports DNS challenge and multiple providers
I'd argue that that is a most likely objectively false statement and that the domain owner is in no position to authoritatively answer the question if it has ever served ads in that time. As it is served without TLS any party involved in the transportation of the data can mess with its content and e.g. insert ads. There are a number of reports of ISPs having done exactly that in the past, and some might still do it today. Therefore it is very likely that textfiles.com as shown in someones browser has indeed had ads at some point in time, even if the one controlling the domain didn't insert them.
Textfiles also contains donation links for PayPal and Venmo. That is an attractive target to replace with something else.
And that is precisely the point: without TLS you do not have any authority over what anyone sees when visiting your website. If you don't care about that then fine, my comment about mangling all http traffic was a bit of a hyperbole. But don't be surprised when it happens anyway and donations meant for you go to someone else instead.
Nothing, really. But for physical mail the attacks against it don't scale nearly as well: you would need to insert yourself physically into the transportation chain and do physical work to mess with the content. Messing with mail is also taken much more seriously as an offense in many places, while laws are not as strict for network traffic generally.
For telephone conversations, at least until somewhat recently, the fact that synthesizing convincing speech in real time was not really feasible (especially not if you tried to imitate someones speech) ensured some integrity of the conversation. That has changed, though.
If you browse through your smart TV, and the smart TV overlays an ad over the browser window, or to the side, is that the same as saying the original server is serving those ads? I hope you agree it is not.
If you use a web browser from a phone vendor who has a special Chromium build which inserts ads client-side in the browser, do you say that the server is serving those ads? Do you know that absolutely no browser vendors, including for low-cost phones, do this?
If your ISP requires you configure your browser to use their proxy service, and that proxy service can insert ads, do you say that the server is serving those ads? Are you absolutely sure no ISPs have this requirement?
If you use a service where you can email it a URL and it emails you the PDF of the web site, with some advertising at the bottom of each page, do you say the original server is really the one serving those ads?
If you read my web site though archive.org, and archive.org has its "please donate to us" ad, do you really say that my site is serving those ads?
Is there any web site which you can guarantee it's impossible for any possible user, no matter the hardware or connection, to see ads which did not come from the original server as long as the server has TLS? I find that impossible to believe.
I therefore conclude that your interpretation is meaningless.
> "as shown in someones browser"
Which is different than being served by the server, as I believe I have sufficiently demonstrated.
> But don't be surprised when it happens anyway
Jason Scott, who runs that site, will not be surprised.
It’s like a vaccine. We vaccinated most of the web against a very bad problem, and that has stopped the problem from happening in the first place. If 90% were still on http, way more ISPs would insert ads.
I agree it is not. That is why I didn't say that the original server served ads, but that the _domain_ served ads. Without TLS you don't have authority over what your domain serves, with TLS you do (well, in the absence of rogue CAs, against which we have a somewhat good system in place).
> If you use a web browser from a phone vendor who has a special Chromium build which inserts ads client-side in the browser, do you say that the server is serving those ads? Do you know that absolutely no browser vendors, including for low-cost phones, do this?
This is simply a compromised device.
> If your ISP requires you configure your browser to use their proxy service, and that proxy service can insert ads, do you say that the server is serving those ads? Are you absolutely sure no ISPs have this requirement?
This is an ISP giving you instructions to compromise your device.
> If you use a service where you can email it a URL and it emails you the PDF of the web site, with some advertising at the bottom of each page, do you say the original server is really the one serving those ads?
No, in this case I am clearly no longer looking at the website, but asking a third-party to convey it to me with whatever changes it makes to it.
> If you read my web site though archive.org, and archive.org has its "please donate to us" ad, do you really say that my site is serving those ads?
No, archive.org is then serving an ad on their own domain, while simultaneously showing an archived version of your website, the correctness of which I have to trust archive.org for.
> Is there any web site which you can guarantee it's impossible for any possible user, no matter the hardware or connection, to see ads which did not come from the original server as long as the server has TLS? I find that impossible to believe.
Fair point. I should have said that I additionally expect the client device to be uncompromised, otherwise all odds are off anyway as your examples show. The implicit scenario I was talking about includes an end-user using an uncompromised device and putting your domain into their browsers URL bar or making a direct http connection to your domain in some other way.
openssl s_client -connect news.ycombinator.com:443
They want the historical integrity, which includes the lack of data integrity that you want.
In practice, many pages are also intentionally compromised by their authors (e.g. including malware scripts from Google), and devices are similarly compromised, so end-to-end "integrity" of the page isn't something the device owner even necessarily wants (c.f. privoxy).
NSA was installing physical devices at network providers that was scouring through all information - they did not have to have Agent Smith opening envelopes or even looking at them. Keep in mind criminals could do the same as well just pay off some employees at provider and also not all network providers are in countries where law enforcement works - and as mentioned your data can go through any of such network providers.
If I send physical mail I can be sure it is not going through Bangkok unless I specifically send it with destination that requires it to go there.