undefined | Better HN

0 pointsfilmor5y ago0 comments

HTTP traffic would be unencrypted, so everyone (esp. on Wifi) could record passwords etc. flying around. With HTTPS, you at least need to MITM the connection to do that. If you establish trust in some other way (cert ID printed on the device?), the connection is secure.

0 comments

riskable5y ago

Not just intercept: Using HTTPS prevents messing with the connection in-flight. So an attacker won't be able to inject their own payload into that web page you just requested.

CountSessine5y ago

Except you’re using garbage certificates so anyone could MITM you and inject whatever they like.

bavell5y ago

In what way are self-signed certs garbage? They're essentially the same as ssh certs.

1 more reply

samus5y ago

That's a separate kind of attack, not intrinsic to the protocol. If the keypair got leaked or a CA misbehaves and issues multiple certificates that can be used for a host, then yes, it can happen.

j / k navigate · click thread line to collapse