←back to thread

489 points gslin | 4 comments | | HN request time: 0.963s | source
Show context
pests ◴[] No.42191619[source]
It feels like just yesterday I was paying for certs, or worst, just running without.

Can't believe its been ten years.

replies(1): >>42191666 #
ozim ◴[] No.42191666[source]
Can’t believe there are still anti TLS weirdos.
replies(7): >>42191688 #>>42191718 #>>42191893 #>>42192714 #>>42192733 #>>42193057 #>>42193614 #
dijit ◴[] No.42191688[source]
The digital equivalent of a local kebab shop menu does not need encryption.

The lack of understanding from us as technologists for people who would have had a working site and are now forced into either: an oligopoly of site hosting companies, or, for their site to break consistently as TLS standards rotate is one thing that brings me shame about our community.

You can come up with all kinds of reasons to gatekeep website hosting, “they have to update anyway” even when updating means reinstallion of an OS, “its not that hard to rotate” say people with deep knowledge of computers, “just get someone else to do it” say people who have a financial interest in it being that way.

Framing people with legitimate issues as weirdo’s is not as charming as you think it is.

replies(6): >>42191746 #>>42191752 #>>42191760 #>>42191778 #>>42191785 #>>42191894 #
johannes1234321 ◴[] No.42191752[source]
TLS doesn't just hide the information transmitted, but also ensures the integrity. Thus nobody on the network tinkered with the prices on the menu.

Also the Kebap Shop probably has a form for reservation or ordering, which takes personal information.

True, they are all low risk things, but getting TLS is trivial (since many Webservers etc can do letsencrypt rotation fully automatically) and secure defaults are a good thing.

replies(3): >>42191784 #>>42191896 #>>42192727 #
dijit ◴[] No.42191784[source]
There are plenty of websites that were just static pages used for conveying information. Most people who set them up lacked the ability to turn them into forms that connected to anything.

They’ve nearly all been lost to time now though, if a shop has a web-presence it will be through a provider such as “bokabord”, doordash, ubereats (as mentioned), some of whom charge up to 30% of anything booked/ordered via the web.

But, I guess no MITM can manipulate prices… except, by charging…

replies(2): >>42191863 #>>42191985 #
matrss ◴[] No.42191863[source]
> There are plenty of websites that were just static pages used for conveying information.

If you care about the integrity of the conveyed information you need TLS. If you don't, you wouldn't have published a website in the first place.

A while back I've seen a wordpress site for a podcast without https where people also argued it doesn't need it. They had banking information for donations on that site.

Sometimes I wish every party involved in transporting packets on the internet would just mangle all unencrypted http that they see, if only to make a point...

replies(4): >>42191908 #>>42192753 #>>42192786 #>>42197635 #
eesmith ◴[] No.42192786[source]
There is a specific class of websites that will always support non-TLS connections, like http://home.mcom.com/ and http://textfiles.com/ .

Like, "telnet textfiles.com 80" then "GET / HTTP/1.0", <enter>, "Location: textfile.com" <enter><enter> and you have the page.

What would be the point of making these unencrypted sites disappear?

replies(2): >>42193242 #>>42194298 #
1. matrss ◴[] No.42193242[source]
textfiles.com says: "TEXTFILES.COM has been online for nearly 25 years with no ads or clickthroughs."

I'd argue that that is a most likely objectively false statement and that the domain owner is in no position to authoritatively answer the question if it has ever served ads in that time. As it is served without TLS any party involved in the transportation of the data can mess with its content and e.g. insert ads. There are a number of reports of ISPs having done exactly that in the past, and some might still do it today. Therefore it is very likely that textfiles.com as shown in someones browser has indeed had ads at some point in time, even if the one controlling the domain didn't insert them.

Textfiles also contains donation links for PayPal and Venmo. That is an attractive target to replace with something else.

And that is precisely the point: without TLS you do not have any authority over what anyone sees when visiting your website. If you don't care about that then fine, my comment about mangling all http traffic was a bit of a hyperbole. But don't be surprised when it happens anyway and donations meant for you go to someone else instead.

replies(1): >>42193647 #
2. eesmith ◴[] No.42193647[source]
There is a big difference between "served ads" and "ads inserted downstream."

If you browse through your smart TV, and the smart TV overlays an ad over the browser window, or to the side, is that the same as saying the original server is serving those ads? I hope you agree it is not.

If you use a web browser from a phone vendor who has a special Chromium build which inserts ads client-side in the browser, do you say that the server is serving those ads? Do you know that absolutely no browser vendors, including for low-cost phones, do this?

If your ISP requires you configure your browser to use their proxy service, and that proxy service can insert ads, do you say that the server is serving those ads? Are you absolutely sure no ISPs have this requirement?

If you use a service where you can email it a URL and it emails you the PDF of the web site, with some advertising at the bottom of each page, do you say the original server is really the one serving those ads?

If you read my web site though archive.org, and archive.org has its "please donate to us" ad, do you really say that my site is serving those ads?

Is there any web site which you can guarantee it's impossible for any possible user, no matter the hardware or connection, to see ads which did not come from the original server as long as the server has TLS? I find that impossible to believe.

I therefore conclude that your interpretation is meaningless.

> "as shown in someones browser"

Which is different than being served by the server, as I believe I have sufficiently demonstrated.

> But don't be surprised when it happens anyway

Jason Scott, who runs that site, will not be surprised.

replies(1): >>42193934 #
3. matrss ◴[] No.42193934[source]
> If you browse through your smart TV, and the smart TV overlays an ad over the browser window, or to the side, is that the same as saying the original server is serving those ads? I hope you agree it is not.

I agree it is not. That is why I didn't say that the original server served ads, but that the _domain_ served ads. Without TLS you don't have authority over what your domain serves, with TLS you do (well, in the absence of rogue CAs, against which we have a somewhat good system in place).

> If you use a web browser from a phone vendor who has a special Chromium build which inserts ads client-side in the browser, do you say that the server is serving those ads? Do you know that absolutely no browser vendors, including for low-cost phones, do this?

This is simply a compromised device.

> If your ISP requires you configure your browser to use their proxy service, and that proxy service can insert ads, do you say that the server is serving those ads? Are you absolutely sure no ISPs have this requirement?

This is an ISP giving you instructions to compromise your device.

> If you use a service where you can email it a URL and it emails you the PDF of the web site, with some advertising at the bottom of each page, do you say the original server is really the one serving those ads?

No, in this case I am clearly no longer looking at the website, but asking a third-party to convey it to me with whatever changes it makes to it.

> If you read my web site though archive.org, and archive.org has its "please donate to us" ad, do you really say that my site is serving those ads?

No, archive.org is then serving an ad on their own domain, while simultaneously showing an archived version of your website, the correctness of which I have to trust archive.org for.

> Is there any web site which you can guarantee it's impossible for any possible user, no matter the hardware or connection, to see ads which did not come from the original server as long as the server has TLS? I find that impossible to believe.

Fair point. I should have said that I additionally expect the client device to be uncompromised, otherwise all odds are off anyway as your examples show. The implicit scenario I was talking about includes an end-user using an uncompromised device and putting your domain into their browsers URL bar or making a direct http connection to your domain in some other way.

replies(1): >>42196158 #
4. eesmith ◴[] No.42196158{3}[source]
While both those domains have a specific goal of letting people browse the web as it if were the 1990s, including using 1990s-era web browsers.

They want the historical integrity, which includes the lack of data integrity that you want.