undefined | Better HN

0 pointssuperkuh5y ago0 comments

>are not harming others

How is HTTP harmful when you visit my website about amateur radio? An expired cert is no more harmful than bare http in this non-commercial non-institional personal context. It's the one being discussed in this sub-thread in case you missed it and assumed the normal HN business context.

The burden is real and completely unecessary for personal websites. This makes the web more commercial by imposing commercial requirements on everyone.

It's what killed off self-signing as a speed bump against massive surveillance and centralized everyone into the benign dictactorship of letsencrypt. But centralization will lead to problems when money is involved. Just look at dot org.

The real harm comes from this fetishism of commercial/institutional security models.

0 comments

j1elo5y ago

> How is HTTP harmful when you visit my website about amateur radio?

"Unharmful" HTTP sites are used to silently hack people's computers and keep them under observation for months. Every unsecured site contributes their small piece to keep the web unsafe for people who needs it to be safe.

https://www.amnesty.org/en/latest/research/2020/06/moroccan-...

superkuhOP5y ago

This is exactly the same as blaming getting shot at a neighbor's BBQ on the neighbor for not hiring private security to deal with the government army specifically attacking you.

If your threat model includes nation state attacks you're gonna have problems no matter what. Change your personal behavior accordingly. Don't tell everyone else they need to wear bullet proof vests around the house and hire corporate security goons. They don't and doing so is burdensome.

j1elo5y ago

You're right, today. But as everything, stuff that starts as very advanced tools only at the disposal of big agencies, with time ends up being reachable for more mundane users, or in this case, criminals.

So, in a way, it's probably just a matter of time that the kind of silent hack depicted in the Amnesty article is used for attacks targeted towards more general victims. I don't look forward to the day that just by reading an unprotected HTTP site is enough to get my phone compromised as part of a widespread scamming effort from someone trying to get credit card details or banking stuff... but it will propbably end up coming if we don't move all together for a more secure WWW.

1 more reply

staticassertion5y ago

The problem with your analogy is that it downplays certain aspects and plays up others.

Attacks on HTTP sites are known threats that we have evidence for, they aren't ridiculous or unheard of. The defense is not "everyone where a bulletproof vest", it's get a certificate and set up HTTPS - a one time cost that will protect thousands of people.

You're making the choice for your users, who may not be as informed as you are, to not protect them. That's very different from asking them to wear a bulletproof vest.

cutler5y ago

Agreed. I'm sick to the back teeth of fscking with HTTPS/SSL on all the client static sites I manage. Certbot-apache was so flaky I had to switch every client to Nginx so that I could use certbot-nginx. The web has become a no-go zone for do-it-yourselfers. If I didn't setup my clients in VPSs I don't know how we would manage all the mailserver blacklisting and endless HTTPS/SSL requirements.

gsich5y ago

dehydrated is nice and painless.

prophesi5y ago

These days, it's harder to set up a website _without_ SSL/TLS. If you're buying a domain name, they'll likely offer free HTTPS. If you're setting up a site via Shopify / Wix / etc, it'll use HTTPS. From what I've seen, sites without a valid certificate are either ancient and no longer maintained, or are built by devs learning the ropes of web development and haven't bothered to set up certbot on their server just yet.

There was already a fetishism of commercial/institutional security, and LetsEncrypt gave it quite the blow. Now companies that you used to have to pay a yearly fee for a certificate are offering their certificates for free.

It does stink that corporations have to be in the middle in the first place, but that's due to the difficult problem of "trust." I'm not sure it's possible to decentralize it, besides some sort of blockchain solution that would be unworkable in the real world.

staticassertion5y ago

> It's the one being discussed in this sub-thread in case you missed it and assumed the normal HN business context.

I did miss that but I did not assume a business context.

> The burden is real and completely unecessary for personal websites.

Users who visit your website are still at risk of having their connection hijacked - they could be phished, exploited, etc. This is maybe not something you consider important, it is certainly a sort of "boil the ocean" approach, but given the efforts put in up until this point I think it's already the case that most users are probably not visiting HTTP sites on the average day. Continuing that effort seems reasonable.

> This makes the web more commercial by imposing commercial requirements on everyone.

I'm not sure what you mean.

yjftsjthsd-h5y ago

We have had this conversation to death: https://doesmysiteneedhttps.com/

at_a_remove5y ago

I find some of the arguments on that page, uh ... unhelpful at best. Circular, even.

yjftsjthsd-h5y ago

I guess I could see that for a small subset of the arguments presented, but that leaves all the rest. Honestly, "There's nothing sensitive on my site anyway." covers 90% of arguments I've seen against HTTPS and that answer is strong. The presence of weak arguments doesn't undermine the strong arguments.

ikiris5y ago

There are injection tools that don't seek to steal data, but to weaponize your client.

heavenlyblue5y ago

It’s free to own a certificate today, so doesn’t matter.

j / k navigate · click thread line to collapse

0 comments

j1elo5y ago

> How is HTTP harmful when you visit my website about amateur radio?

https://www.amnesty.org/en/latest/research/2020/06/moroccan-...

superkuhOP5y ago

This is exactly the same as blaming getting shot at a neighbor's BBQ on the neighbor for not hiring private security to deal with the government army specifically attacking you.

j1elo5y ago

1 more reply

staticassertion5y ago

The problem with your analogy is that it downplays certain aspects and plays up others.

You're making the choice for your users, who may not be as informed as you are, to not protect them. That's very different from asking them to wear a bulletproof vest.

cutler5y ago

gsich5y ago

dehydrated is nice and painless.

prophesi5y ago

staticassertion5y ago

> It's the one being discussed in this sub-thread in case you missed it and assumed the normal HN business context.

I did miss that but I did not assume a business context.

> The burden is real and completely unecessary for personal websites.

> This makes the web more commercial by imposing commercial requirements on everyone.

I'm not sure what you mean.

yjftsjthsd-h5y ago

We have had this conversation to death: https://doesmysiteneedhttps.com/

at_a_remove5y ago

I find some of the arguments on that page, uh ... unhelpful at best. Circular, even.

yjftsjthsd-h5y ago

ikiris5y ago

There are injection tools that don't seek to steal data, but to weaponize your client.

heavenlyblue5y ago

It’s free to own a certificate today, so doesn’t matter.

j / k navigate · click thread line to collapse