Comment by tomtomtom777
6 hours ago
Please use HTTPS.
I use HTTPS only. I don't think HTTP is acceptable for anyone let alone a technical blog post. It takes a few minutes, and it prevents me and all your visitors from getting all kinds of MITM injections.
Thanks.
It also prevents all kinds of clients who (for various reasons) can't implement SSL from visiting your website. I'm sure this is a "small web" blog, whose author wants to be visited by e.g. a Commodore 64, an OS 9 iMac, or somebody who just wants to telnet in. If the sensitivity of the information on this page was critical or you were going to be submitting information then by all means yes, SSL is important, but if you're going to be reading a personal blog about calendars then http is probably fine. Of course the ideal solution is offering both and letting the client choose.
MITM attack on a read-only text webpage... okay.
More annoying is the slightly shiny/shaded text that is supposed to highlight something. Who chose this style palette?
Haha this is my blog -- its pretty new. I agree it's readability is less than ideal -- going to change it at some point. HTTPS as well probably at some point. Its been an experiment for me doing everything by hand. The entire blog is a large single Rakefile using Markaby :)
for what is worth, I actually liked the shaded links, they made me smile :)
Even just disabling CSS makes it readable. For HTTPS, I think that (like someone else mentioned) it should be made optional (at least for read-only access to public files) rather than mandatory.
check out certbot + install certbot renew into crontab. Get the python3 variant the "native" package is outdated and removed from newer systems.
It’s html. Which is code that your browser executes.
Millions of routers are compromised. BGP attacks happen. Anything http stands out as an interesting target for injection.
This position is foolish. It’s not a major ask to enable https.
For a random blog you have never visited before and have no reason to trust. It could attempt to do all the malicious things that you are worried a man in the middle would do.
The browser still has to execute code over HTTPS. You've just moved the injection perimeter from inside my own network into the providers website. I don't think you've fundamentally changed your level of risk unless you spend a huge amount of time browsing on shared password WPA protected wifi networks.
You cannot browse to sites under any regime and execute code while expecting security to exist.
Man I really hope this doesn't get autoflagged because people need to see that this is an opinion people actually have, and what the (justified) reaction to it is.
HTTPS on a blog does nothing. It doesn't protect you from anything. I guarantee you're not getting "all kinds of MITM injections" on this block of text. The only reasonable desire I can think of for "HTTPS everywhere" is hiding the content from your ISP but a) they still see the URL so they can get the content if they want it, and b) if you're so worried about that, use a VPN which coincidentally is even better because it will also hide the URL, and most importantly c) it puts the onus on you, the person who wants the thing, instead of hundreds or thousands or tens of thousands of text-only website owners who rightly couldn't care less about HTTPS.
>I guarantee you're not getting "all kinds of MITM injections" on this block of text
You actually can’t guarantee anything of the sort. BGP hijacks are real.
> they still see the URL so they can get the content if they want it
That's incorrect, a MitM can only reveal the server hostname by inspecting the SNI during the TLS handshake, but the HTTP request, including the URL and headers, is encrypted.
Surely your ISP can see every URL you visit if they have a reason to? They're routing the traffic.
2 replies →
I think you would have a better argument if you said something like: "I don't want my ISP knowing about the content I read" or something along those lines. MITM for a text download is like saying we have to have https for dns (yes DoH exists now), but the point still stands. You aren't sending any sensitive data to the website, MITM is unlikely.
Without HTTPS someone could alter the content, spread false information, inject ads, malware, and other stuff, redirect to some other site, …
(This is a general remark, but it goes for a blog post like this as well.)
It's still a weak argument since it's extremely rare in practice that's why I suggested blaming the ISP instead since ISP's are the ones that have historically tampered with http content.
2 replies →
The site owners could do all of that even with HTTPS, and no-one would revoke their certs. Just saying.
And the best Windows malware is actually digitally signed.
Without HTTPS, every link in the chain between me and your website is a potential attack vector. Maybe I trust my ISP, but do I trust my buddy's cheapo router? What about the shadowy cabal that offers airport wifi?
With static webpages, the concern isn't someone snooping in on what I'm reading. It's someone injecting content, probably malware, into the page. Let's say I have a zero-click exploit for Chrome. What can I do with it? If I just stick it on a page I control, best I can hope for is spamming it all over the web and hoping someone clicks on it. Probably not a lot of impact before it gets patched. If instead, I can wait until some router firmware gets pwned, or an ISP, I can do a mass attack where I make all the vulnerable routers inject my exploit into all non-HTTPS web requests. Much greater exposure.
Just as a reminder, this was standard before SSL/TLS. Every webpage was http-only.
Surprised this is downvoted. Chrome forces me to click through a warning to even visit HTTP sites nowadays.
It only does that for me if there's an HTTPS option available but it's expired or not configured correctly. Chrome let me right into this site without that warning.
Turns out the warning I get is due to the Chrome setting "Always use secure connections"
I don't remember turning it on but it's probable that I did, it's not a default yet but will be come October: https://blog.google/security/https-by-defau/
Yup, very secure. Then every single IT department installs a cert on the machines to MITM everything.
I have no idea what you're trying to say, there's no IT department managing my laptop and none of the IT departments I've worked in or with "MITM everything." Do you want to try again?
3 replies →