Why? Http is simpler, less fragile, not dependent on good will of third parties, the content is public, and proving authenticity of text on Internet is always hard, even when served via the https scheme. I bet Bernstein thinks there is little point in forcing people to use https to read his page.
Troy Hunt points out that HTTP traffic is sometimes MITMed in a way that clients and servers do not like, and HTTPS sometimes prevents that. I never said otherwise. I am saying for certain kinds of pages, it's not a major concern. Like for djb website.
Why not use HTTPS for everything? Because it also has costs, not just benefits.
Yes. But if you worry about being a target for MITM attacks, https alone does not fix that problem. You need some reliable verification mechanism that is hard to fool. The current CA system or "trust on first use" are only partial, imperfect mechanisms.
https://blog.cr.yp.to/20220805-nsa.html works too.
Cryptography experts know when to care about security. Cryptography enthusiasts try to slap encryption on everything.
Why? Http is simpler, less fragile, not dependent on good will of third parties, the content is public, and proving authenticity of text on Internet is always hard, even when served via the https scheme. I bet Bernstein thinks there is little point in forcing people to use https to read his page.
That's just wrong on so many levels. Troy Hunt has an excellent explanation: https://www.troyhunt.com/heres-why-your-static-website-needs...
Troy Hunt points out that HTTP traffic is sometimes MITMed in a way that clients and servers do not like, and HTTPS sometimes prevents that. I never said otherwise. I am saying for certain kinds of pages, it's not a major concern. Like for djb website.
Why not use HTTPS for everything? Because it also has costs, not just benefits.
2 replies →
MITM could change what the client receives, right?
Yes. But if you worry about being a target for MITM attacks, https alone does not fix that problem. You need some reliable verification mechanism that is hard to fool. The current CA system or "trust on first use" are only partial, imperfect mechanisms.
Just FYI, On my Firefox its saying "Connection Secure (upgraded to https)", its actually using ECDHE CHACHA20 SHA256.
Note: I have "Enable HTTPS-Only Mode in all windows" on by default.