←back to thread

Web page annoyances that I don't inflict on you

(rachelbythebay.com)
569 points todsacerdoti | 3 comments | 05 Jan 25 01:54 UTC | HN request time: 0.659s | source
Show context
imoreno ◴[05 Jan 25 02:56 UTC] No.42599386[source]
I agree with most of this. If every website followed these, the web would be heaven (again)...

But why this one?

>I don't force you to use SSL/TLS to connect here. Use it if you want, but if you can't, hey, that's fine, too.

What is wrong with redirecting 80 to 443 in today's world?

Security wise, I know that something innocuous like a personal blog is not very sensitive, so encrypting that traffic is not that important. But as a matter of security policy, why not just encrypt everything? Once upon a time you might have cared about the extra CPU load from TLS, but nowadays it seems trivial. Encrypting everything arguably helps protect the secure stuff too, as it widens the attacker's search space.

These days, browser are moving towards treating HTTP as a bug and throw up annoying propaganda warnings about it. Just redirecting seems like the less annoying option.

replies(10): >>42599423 #>>42599448 #>>42599461 #>>42599916 #>>42600279 #>>42601148 #>>42605479 #>>42605998 #>>42609172 #>>42627972 #
nayuki ◴[05 Jan 25 03:12 UTC] No.42599461[source]
When you force TLS/HTTPS, you are committing both yourself (server) and the reader (client) to a perpetual treadmill of upgrades (a.k.a. churn). This isn't a value judgement, it is a fact; it is a positive statement, not a normative statement. Roughly speaking, the server and client softwares need to be within say, 5 years of each other, maybe 10 years at maximum - or else they are not compatible.

For both sides, you need to continually agree on root certificates (think of how the ISRG had to gradually introduce itself to the world - first through cross-signing, then as a root), protocol versions (e.g. TLSv1.3), and cipher suites.

For the server operator specifically, you need to find a certificate authority that works for you and then continually issue new certificates before the old one expires. You might need to deal with ordering a revocation in rare cases.

I can think of a few reasons for supporting unsecured HTTP: People using old browsers on old computers/phones (say Android 4 from 10 years ago), extremely outdated computers that might be controlling industrial equipment with long upgrade cycles, simple HTTP implementations for hobbyists and people looking to reimplement systems from scratch.

I haven't formed a strong opinion on whether HTTPS-only is the way to go or dual HTTP/HTTPS is an acceptable practice, so I don't really make recommendations on what other people should do.

For my own work, I use HTTPS only because exposing my services to needless vulnerabilities is dumb. But I understand if other people have other considerations and weightings.

replies(2): >>42599484 #>>42606664 #
1. rubatuga ◴[06 Jan 25 01:34 UTC] No.42606664[source]
Then just use a proxy for your older browsers, I think the onus is not on the site owner but instead the device.
replies(1): >>42607612 #
2. marcosdumay ◴[06 Jan 25 04:17 UTC] No.42607612[source]
Imagine if it was required that every single device or machine on your life to be designed within 5 years of every other one or they wouldn't work together.

We would be constantly trying to finish a home we could actually use, and forget about fruits or wood agriculture.

There's something deeply broken about computers. And that's from someone deeply on the camp that "yes, everybody must use TLS on the web".

replies(1): >>42609339 #
3. dns_snek ◴[06 Jan 25 10:26 UTC] No.42609339[source]
> There's something deeply broken about computers.

It's just not that mysterious, if we want our communications to be secure (we do) then we can't reasonably use ciphers that have been broken, since any adversary can insert themselves in the middle and negotiate both sides down to their most insecure denominator, if they allow it.