Most active commenters

    ←back to thread

    Web page annoyances that I don't inflict on you

    (rachelbythebay.com)
    569 points todsacerdoti | 16 comments | 05 Jan 25 01:54 UTC | HN request time: 0.57s | source | bottom
    Show context
    imoreno ◴[05 Jan 25 02:56 UTC] No.42599386[source]
    I agree with most of this. If every website followed these, the web would be heaven (again)...

    But why this one?

    >I don't force you to use SSL/TLS to connect here. Use it if you want, but if you can't, hey, that's fine, too.

    What is wrong with redirecting 80 to 443 in today's world?

    Security wise, I know that something innocuous like a personal blog is not very sensitive, so encrypting that traffic is not that important. But as a matter of security policy, why not just encrypt everything? Once upon a time you might have cared about the extra CPU load from TLS, but nowadays it seems trivial. Encrypting everything arguably helps protect the secure stuff too, as it widens the attacker's search space.

    These days, browser are moving towards treating HTTP as a bug and throw up annoying propaganda warnings about it. Just redirecting seems like the less annoying option.

    replies(10): >>42599423 #>>42599448 #>>42599461 #>>42599916 #>>42600279 #>>42601148 #>>42605479 #>>42605998 #>>42609172 #>>42627972 #
    1. bigs ◴[05 Jan 25 07:15 UTC] No.42600279[source]
    Why should web browsers treat http like a bug? Many sites don’t need https.
    replies(4): >>42600325 #>>42605366 #>>42605406 #>>42605561 #
    2. yjftsjthsd-h ◴[05 Jan 25 07:29 UTC] No.42600325[source]
    > Many sites don’t need https.

    Maybe intranet sites. Everything else absolutely should.

    https://doesmysiteneedhttps.com/

    replies(2): >>42600520 #>>42606893 #
    3. muppetman ◴[05 Jan 25 08:35 UTC] No.42600520[source]
    Those are some of the most pedantic grasping at straws reasons I've ever read. It's like they know there's nothing wrong with http so they've had to invent worst case nightmare scenarios to make their "It's so important" reasons stick. Https is great. I use it. That website is pathetic though.
    replies(2): >>42601637 #>>42605638 #
    4. fractallyte ◴[05 Jan 25 13:32 UTC] No.42601637{3}[source]
    The source footer ("View Page Source") summarizes it perfectly:

    Sites that need HTTPS: - all of them

    If you like it, you better put a lock on it.

    And, BTW, the website is as delightfully simple and unobtrusive as the one in the article.

    5. 542458 ◴[05 Jan 25 21:53 UTC] No.42605366[source]
    I used to have an ISP that would inject ads into HTTP sites. Every site needs HTTPS.
    replies(1): >>42607475 #
    6. tehjoker ◴[05 Jan 25 21:59 UTC] No.42605406[source]
    this is the statement of someone who wasn't around in 2013 when the snowden leaks happened and google's datacenters got owned. everyone switched to https shortly thereafter
    replies(1): >>42605708 #
    7. criddell ◴[05 Jan 25 22:23 UTC] No.42605561[source]
    Every connection should be encrypted.

    Unencrypted connections can be weaponized by things like China’s Great Canon.

    8. TRiG_Ireland ◴[05 Jan 25 22:33 UTC] No.42605638{3}[source]
    ISPs injecting ads into HTTP websites isn't a weird edge case. I've seen it happen.
    replies(1): >>42691291 #
    9. einpoklum ◴[05 Jan 25 22:44 UTC] No.42605708[source]
    Didn't everyone switch to TOR shortly after? :-(
    replies(1): >>42607223 #
    10. ◴[06 Jan 25 02:14 UTC] No.42606893[source]
    11. tehjoker ◴[06 Jan 25 03:08 UTC] No.42607223{3}[source]
    Some people use TOR, but the internet generally started using https for everything.
    12. dijit ◴[06 Jan 25 03:49 UTC] No.42607475[source]
    Or, your ISP does not deserve to exist.
    replies(1): >>42608093 #
    13. FredPret ◴[06 Jan 25 05:58 UTC] No.42608093{3}[source]
    True but you can’t build distributed systems that rely on every single actor being a good one. Hence encryption, the police, etc.
    replies(1): >>42608840 #
    14. dijit ◴[06 Jan 25 08:39 UTC] No.42608840{4}[source]
    The police is a good example, instead of reinventing basal language, we instead have a body of people who enforce the law.

    It’s not like ISPs are unknown entities.

    replies(1): >>42609309 #
    15. homebrewer ◴[06 Jan 25 10:22 UTC] No.42609309{5}[source]
    What about governments? In my country they perform MITM attacks against unencrypted HTTP, while the best they can do with HTTPS is to block the site. I'd much prefer everyone enforcing HTTPS at all times.
    16. muppetman ◴[13 Jan 25 23:57 UTC] No.42691291{4}[source]
    And so what if my webpage about an obscure 1994 Australian rock band get a few ads injected into it? Everything else in my life gets ads injected into it (TV, Music, Movies) Such a silly argument.