Most active commenters
  • matrss(4)
  • eesmith(4)

←back to thread

512 points gslin | 19 comments | | HN request time: 0.863s | source | bottom
Show context
pests ◴[] No.42191619[source]
It feels like just yesterday I was paying for certs, or worst, just running without.

Can't believe its been ten years.

replies(1): >>42191666 #
ozim ◴[] No.42191666[source]
Can’t believe there are still anti TLS weirdos.
replies(7): >>42191688 #>>42191718 #>>42191893 #>>42192714 #>>42192733 #>>42193057 #>>42193614 #
dijit ◴[] No.42191688[source]
The digital equivalent of a local kebab shop menu does not need encryption.

The lack of understanding from us as technologists for people who would have had a working site and are now forced into either: an oligopoly of site hosting companies, or, for their site to break consistently as TLS standards rotate is one thing that brings me shame about our community.

You can come up with all kinds of reasons to gatekeep website hosting, “they have to update anyway” even when updating means reinstallion of an OS, “its not that hard to rotate” say people with deep knowledge of computers, “just get someone else to do it” say people who have a financial interest in it being that way.

Framing people with legitimate issues as weirdo’s is not as charming as you think it is.

replies(6): >>42191746 #>>42191752 #>>42191760 #>>42191778 #>>42191785 #>>42191894 #
1. johannes1234321 ◴[] No.42191752[source]
TLS doesn't just hide the information transmitted, but also ensures the integrity. Thus nobody on the network tinkered with the prices on the menu.

Also the Kebap Shop probably has a form for reservation or ordering, which takes personal information.

True, they are all low risk things, but getting TLS is trivial (since many Webservers etc can do letsencrypt rotation fully automatically) and secure defaults are a good thing.

replies(3): >>42191784 #>>42191896 #>>42192727 #
2. dijit ◴[] No.42191784[source]
There are plenty of websites that were just static pages used for conveying information. Most people who set them up lacked the ability to turn them into forms that connected to anything.

They’ve nearly all been lost to time now though, if a shop has a web-presence it will be through a provider such as “bokabord”, doordash, ubereats (as mentioned), some of whom charge up to 30% of anything booked/ordered via the web.

But, I guess no MITM can manipulate prices… except, by charging…

replies(2): >>42191863 #>>42191985 #
3. matrss ◴[] No.42191863[source]
> There are plenty of websites that were just static pages used for conveying information.

If you care about the integrity of the conveyed information you need TLS. If you don't, you wouldn't have published a website in the first place.

A while back I've seen a wordpress site for a podcast without https where people also argued it doesn't need it. They had banking information for donations on that site.

Sometimes I wish every party involved in transporting packets on the internet would just mangle all unencrypted http that they see, if only to make a point...

replies(4): >>42191908 #>>42192753 #>>42192786 #>>42197635 #
4. megous ◴[] No.42191896[source]
You can get integrity at higher levels in the stack (or lower).
5. burnished ◴[] No.42191985[source]
Huh. Never thought about it that way; replacing hypothetical MITM attacks with genuine middlemen.
6. account42 ◴[] No.42192727[source]
The Kebab Shop also takes orders over the phone, which is not any more encrypted.

And prices are more likely to be simply outdated than modified by a malicious entity. Your concerns are not based in reality.

replies(1): >>42193759 #
7. account42 ◴[] No.42192753{3}[source]
What ensures the integrity of conveyed information for physical mail? For flyers? For telephone conversations?

The cryptography community would have you believe that the only solution to getting scammed is encryption. It isn't.

replies(2): >>42193334 #>>42203926 #
8. eesmith ◴[] No.42192786{3}[source]
There is a specific class of websites that will always support non-TLS connections, like http://home.mcom.com/ and http://textfiles.com/ .

Like, "telnet textfiles.com 80" then "GET / HTTP/1.0", <enter>, "Location: textfile.com" <enter><enter> and you have the page.

What would be the point of making these unencrypted sites disappear?

replies(2): >>42193242 #>>42194298 #
9. matrss ◴[] No.42193242{4}[source]
textfiles.com says: "TEXTFILES.COM has been online for nearly 25 years with no ads or clickthroughs."

I'd argue that that is a most likely objectively false statement and that the domain owner is in no position to authoritatively answer the question if it has ever served ads in that time. As it is served without TLS any party involved in the transportation of the data can mess with its content and e.g. insert ads. There are a number of reports of ISPs having done exactly that in the past, and some might still do it today. Therefore it is very likely that textfiles.com as shown in someones browser has indeed had ads at some point in time, even if the one controlling the domain didn't insert them.

Textfiles also contains donation links for PayPal and Venmo. That is an attractive target to replace with something else.

And that is precisely the point: without TLS you do not have any authority over what anyone sees when visiting your website. If you don't care about that then fine, my comment about mangling all http traffic was a bit of a hyperbole. But don't be surprised when it happens anyway and donations meant for you go to someone else instead.

replies(2): >>42193647 #>>42219574 #
10. matrss ◴[] No.42193334{4}[source]
> What ensures the integrity of conveyed information for physical mail? For flyers? For telephone conversations?

Nothing, really. But for physical mail the attacks against it don't scale nearly as well: you would need to insert yourself physically into the transportation chain and do physical work to mess with the content. Messing with mail is also taken much more seriously as an offense in many places, while laws are not as strict for network traffic generally.

For telephone conversations, at least until somewhat recently, the fact that synthesizing convincing speech in real time was not really feasible (especially not if you tried to imitate someones speech) ensured some integrity of the conversation. That has changed, though.

11. eesmith ◴[] No.42193647{5}[source]
There is a big difference between "served ads" and "ads inserted downstream."

If you browse through your smart TV, and the smart TV overlays an ad over the browser window, or to the side, is that the same as saying the original server is serving those ads? I hope you agree it is not.

If you use a web browser from a phone vendor who has a special Chromium build which inserts ads client-side in the browser, do you say that the server is serving those ads? Do you know that absolutely no browser vendors, including for low-cost phones, do this?

If your ISP requires you configure your browser to use their proxy service, and that proxy service can insert ads, do you say that the server is serving those ads? Are you absolutely sure no ISPs have this requirement?

If you use a service where you can email it a URL and it emails you the PDF of the web site, with some advertising at the bottom of each page, do you say the original server is really the one serving those ads?

If you read my web site though archive.org, and archive.org has its "please donate to us" ad, do you really say that my site is serving those ads?

Is there any web site which you can guarantee it's impossible for any possible user, no matter the hardware or connection, to see ads which did not come from the original server as long as the server has TLS? I find that impossible to believe.

I therefore conclude that your interpretation is meaningless.

> "as shown in someones browser"

Which is different than being served by the server, as I believe I have sufficiently demonstrated.

> But don't be surprised when it happens anyway

Jason Scott, who runs that site, will not be surprised.

replies(1): >>42193934 #
12. philistine ◴[] No.42193759[source]
The fact that content on http websites hasn’t been maliciously switched does not mean that https didn’t work.

It’s like a vaccine. We vaccinated most of the web against a very bad problem, and that has stopped the problem from happening in the first place. If 90% were still on http, way more ISPs would insert ads.

13. matrss ◴[] No.42193934{6}[source]
> If you browse through your smart TV, and the smart TV overlays an ad over the browser window, or to the side, is that the same as saying the original server is serving those ads? I hope you agree it is not.

I agree it is not. That is why I didn't say that the original server served ads, but that the _domain_ served ads. Without TLS you don't have authority over what your domain serves, with TLS you do (well, in the absence of rogue CAs, against which we have a somewhat good system in place).

> If you use a web browser from a phone vendor who has a special Chromium build which inserts ads client-side in the browser, do you say that the server is serving those ads? Do you know that absolutely no browser vendors, including for low-cost phones, do this?

This is simply a compromised device.

> If your ISP requires you configure your browser to use their proxy service, and that proxy service can insert ads, do you say that the server is serving those ads? Are you absolutely sure no ISPs have this requirement?

This is an ISP giving you instructions to compromise your device.

> If you use a service where you can email it a URL and it emails you the PDF of the web site, with some advertising at the bottom of each page, do you say the original server is really the one serving those ads?

No, in this case I am clearly no longer looking at the website, but asking a third-party to convey it to me with whatever changes it makes to it.

> If you read my web site though archive.org, and archive.org has its "please donate to us" ad, do you really say that my site is serving those ads?

No, archive.org is then serving an ad on their own domain, while simultaneously showing an archived version of your website, the correctness of which I have to trust archive.org for.

> Is there any web site which you can guarantee it's impossible for any possible user, no matter the hardware or connection, to see ads which did not come from the original server as long as the server has TLS? I find that impossible to believe.

Fair point. I should have said that I additionally expect the client device to be uncompromised, otherwise all odds are off anyway as your examples show. The implicit scenario I was talking about includes an end-user using an uncompromised device and putting your domain into their browsers URL bar or making a direct http connection to your domain in some other way.

replies(1): >>42196158 #
14. johannes1234321 ◴[] No.42194298{4}[source]
Instead of using telnet, switch over to an TLS client.

    openssl s_client -connect news.ycombinator.com:443
and you can do the same. A simple wrapper, alias or something makes it as nice as telnet.
replies(1): >>42195931 #
15. eesmith ◴[] No.42195931{5}[source]
My goal was to demonstrate that it supported http, and did not require TLS.
16. eesmith ◴[] No.42196158{7}[source]
While both those domains have a specific goal of letting people browse the web as it if were the 1990s, including using 1990s-era web browsers.

They want the historical integrity, which includes the lack of data integrity that you want.

17. ndriscoll ◴[] No.42197635{3}[source]
I'm pretty sure tons of people have made web pages or sites without caring about the integrity of the conveyed information. Not every website is something important like banking. It doesn't matter if a nefarious actor tweaks the information on a Shining Force II shrine (and even then, only for people who they're able to MITM).

In practice, many pages are also intentionally compromised by their authors (e.g. including malware scripts from Google), and devices are similarly compromised, so end-to-end "integrity" of the page isn't something the device owner even necessarily wants (c.f. privoxy).

18. ozim ◴[] No.42203926{4}[source]
My post I am typing here can happily go through Russia/China/India and you cannot do anything about it - and bad actors can actually make your traffic to go through them as per BGP hijacking that was happening multiple times.

NSA was installing physical devices at network providers that was scouring through all information - they did not have to have Agent Smith opening envelopes or even looking at them. Keep in mind criminals could do the same as well just pay off some employees at provider and also not all network providers are in countries where law enforcement works - and as mentioned your data can go through any of such network providers.

If I send physical mail I can be sure it is not going through Bangkok unless I specifically send it with destination that requires it to go there.

19. textfiles ◴[] No.42219574{5}[source]
This argument is stupid.