←back to thread

Web page annoyances that I don't inflict on you

(rachelbythebay.com)
569 points todsacerdoti | 10 comments | 05 Jan 25 01:54 UTC | HN request time: 0.001s | source | bottom
Show context
imoreno ◴[05 Jan 25 02:56 UTC] No.42599386[source]
I agree with most of this. If every website followed these, the web would be heaven (again)...

But why this one?

>I don't force you to use SSL/TLS to connect here. Use it if you want, but if you can't, hey, that's fine, too.

What is wrong with redirecting 80 to 443 in today's world?

Security wise, I know that something innocuous like a personal blog is not very sensitive, so encrypting that traffic is not that important. But as a matter of security policy, why not just encrypt everything? Once upon a time you might have cared about the extra CPU load from TLS, but nowadays it seems trivial. Encrypting everything arguably helps protect the secure stuff too, as it widens the attacker's search space.

These days, browser are moving towards treating HTTP as a bug and throw up annoying propaganda warnings about it. Just redirecting seems like the less annoying option.

replies(10): >>42599423 #>>42599448 #>>42599461 #>>42599916 #>>42600279 #>>42601148 #>>42605479 #>>42605998 #>>42609172 #>>42627972 #
throwaway58670 ◴[05 Jan 25 11:42 UTC] No.42601148[source]
Some old-enough browsers don't support SSL. At all.

Also, something I often see non-technical people fall victim to is that if your clock is off, the entirety of the secure web is inaccessible to you. Why should a blog (as opposed to say online banking) break for this reason?

replies(2): >>42602791 #>>42607644 #
1. Gud ◴[05 Jan 25 16:20 UTC] No.42602791[source]
How old are these browsers and why should I let them online? Must be decades old.
replies(5): >>42603535 #>>42606909 #>>42608078 #>>42609407 #>>42621503 #
2. niutech ◴[05 Jan 25 17:56 UTC] No.42603535[source]
Android versions prior to 4.4 support only TLS 1.0 which is deprecated and many old devices aren't upgradable. The same for Mobile IE 10.

IE 10 in Windows Server 2008 doesn't support TLS 1.1+ by default.

replies(1): >>42609254 #
3. layer8 ◴[06 Jan 25 02:15 UTC] No.42606909[source]
Usually browsers on hobbyist legacy operating systems, to which modern browsers haven’t or can’t be ported, not to mention keeping root certificates up to date. Or even if they do support SSL, then only older algorithms and older versions of the protocol. It’s nice to still be able to browse at least part of the web with those.
4. wpm ◴[06 Jan 25 05:54 UTC] No.42608078[source]
> Must be decades old.

So? If they still power on and are capable of talking HTTP over a network, and you don't require the transfer of data that needs to be secured, why shouldn't you "let" them online?

replies(2): >>42608103 #>>42609731 #
5. fragmede ◴[06 Jan 25 06:00 UTC] No.42608103[source]
I don't know about you, but I'd rather my ancient laptop not end up as part of a botnet simply because I visited the wrong website with it.
6. robinsonb5 ◴[06 Jan 25 10:12 UTC] No.42609254[source]
Yup, my last phone upgrade was prompted by this.

But the old phone is significantly better at making actual phone calls than the new one.

7. olau ◴[06 Jan 25 10:37 UTC] No.42609407[source]
The problem is usually SSL support, the problem is that older SSL and TLS versions are being disabled.

I actually have an example myself - an iPad 3. Apple didn't allow anyone else than themselves to provide a web browser engine, and at some point they deliberately stopped updates. This site used to work, until some months ago. I currently use it for e-books, if that wasn't the case I think it by now it would essentially be software bricked.

I acknowledge that owning older Apple hardware is dumb. I didn't pay for it, though.

8. Gud ◴[06 Jan 25 11:36 UTC] No.42609731[source]
Why you shouldn’t use old, unpatched software on an open network that doesn’t support modern protocols?

Beats me.

replies(1): >>42617925 #
9. ◴[07 Jan 25 00:44 UTC] No.42617925{3}[source]
10. verzali ◴[07 Jan 25 11:53 UTC] No.42621503[source]
Why is it your job to police the browsers people use?