Ask HN: Why Paul Graham’s Website Isn’t Using HTTPS?

17 pointsshivasurya5y ago44 comments

I’ve recently skimmed through the website, essays and found that it doesn’t support valid https certificate ( some yahoo store wildcard certificate ). With portfolio companies like weebly and webflow in list, what makes paul stick to old plain website?

Please don’t answer that it’s not in your top 100 to-do list.

44 comments

ehsankia5y ago

Honestly I used to think the same, until adding HTTPS support because as simple as a button, and now there's no reason not too. Specifically for websites hosted on GitHub and AppEngine which most my sites are, it's little one button with LetsEncrypt. Beforehand, getting SSL cert was honestly a PITA and not worth it for a simple static website.

floatingleaf5y ago

Many ISPs are bad these days. They insert or replace javascripts in it is plain http.

I face this problem in India with mainstream ISP.

hexbinencoded5y ago

https://www.theverge.com/2016/3/7/11173010/verizon-supercook...

https://tech.slashdot.org/story/07/07/25/155200/tool-detects...

https://lauren.vortex.com/archive/000337.html

https://www.forbes.com/sites/markgibbs/2013/05/01/cox-commun...

https://www.mattcutts.com/blog/confirmed-isp-modifies-google...

chance_state5y ago

What do they insert? Ads?

shivasuryaOP5y ago

Yes, I’ve experienced it personally while doing my undergrad in india

jgelsey5y ago

Practically, you don't do a cert for your site, you do it to protect visitors to your site getting compromised by a MITM attack.

A site without a cert is basically telling its users "I don't care about you."

dvfjsdhgfv5y ago

I hear this all the time and I'm not sure if people saying that actually tried performing a MitM attack. First of all, a meaningful attack of this kind would occur when some data is uploaded - if it's just uploaded, you can basically do stupid pranks like replacing words and graphics. But more importantly, in order to actually perform a MitM attack, you need to have access to some parts of the infrastructure of the victim that you normally have not. For example, if you can perform the MitM attack by hijacking DNS (on a local machine or local network level), you can perform much worse attacks than MiTM, and HTTPS cannot stop you. In such cases HSTS can be helpful, although in itself is not without issues.

derekp75y ago

Or, a local ISP or the coffee shop you are visiting has an appliance that injects ads into http web sites. And those ads come from an ad network, that doesn't do a good job of policing malware that gets into the ad's javascript. (Malware-laced ad networks is actually the #1 reason I use an ad blocker, since that is the only times I've ever got computer viruses).

1 more reply

jgelsey5y ago

Access to the infrastructure is pretty easy - e.g. a WiFi Pineapple is $99. https://shop.hak5.org/products/wifi-pineapple

There is no absolute protection against compromise, but it would be polite for every web site to implement https and hsts to at least make it harder for visitors to be compromised. It costs them very little.

Maybe the analogy is soap in the bathroom at a coffee shop - most customers will not get cholera if the soap is missing, but is it moral for the shop owners to take the risk when the cost is so low and the downside is so high?

1 more reply

maxharris5y ago

It's just a plain website that doesn't do anything besides give you some text and images. This is technology that has functioned just fine for decades. I don't understand why it needs SSL at all - where's the private information that might be intercepted by someone in the middle?

crcastle5y ago

SSL (well, TLS now) serves three purposes.

1. Ensuring you are getting the information the website author intends for you to get. i.e. data can’t be manipulated in transit.

2. Ensuring the information you are getting is in fact coming from the domain you are requesting it from.

3. Preventing others between you and the website from seeing the information sent back and forth.

I think you questioned the need for TLS here assuming 3 was the only purpose of TLS?

shivasuryaOP5y ago

The intention isn’t about private information. What if essay text is modified in transit/injected with advertisements?

sushshshsh5y ago

Dunno, try it!

1 more reply

dvfjsdhgfv5y ago

The consensus among young devs these days is such a situation would be an abomination, that it's a sign of disrespect towards the visitor and that you should be publicly shamed for this.

ishcheklein5y ago

Agree that website is simple, but it can be promotional on his end- it's good to show best practices. And his website clearly has a lot of traffic, a lot of engineers read it.

coldtea5y ago

>Agree that website is simple, but it can be promotional on his end

If you have enough money, you don't need to promote yourself or impress anyone...

MattGaiser5y ago

Who does he need to impress with his web skills?

shivasuryaOP5y ago

It’s not about impressing but it ensures that it’s safe for everyone and it’s clear that his website gets huge traffic.

1 more reply

jaredsohn5y ago

scripting.com doesn't use https either (went through a list of some older blog sites I could think of but most are https now.)

The following was written years ago, but it is a lot easier to use https now. http://scripting.com/2014/08/08/myBlogDoesntNeedHttps.html

jedimastert5y ago

His main complain is that it costs money, which it no longer does. I think the rest of his argument really falls apart because of that.

amanzi5y ago

I'm surprised by the number of responses in this thread from people not understanding the purpose of HTTPS, even for static sites.

This is a good summary of why you should use HTTPS: https://doesmysiteneedhttps.com/

lmarcos5y ago

> what makes paul stick to old plain website?

It requires no effort to stick with HTTP. Yes, it's not rocket science to use HTTPS, but it requires a non-zero amount of time to enable it. He probably has better things to do with his time.

Besides, it's his personal website... He can do whatever he wants with it.

umvi5y ago

Because it's a hassle, people have limited time and it doesn't appear to provide much value.

difosfor5y ago

Given that HTTPS is required for HTTP2 to work in current browsers and it's easy to get a letsencrypt certificate this is a reasonable question. On the other hand, I guess it doesn't really matter for his simple purpose of distributing public information.

kgraves5y ago

His website works fine without it, what's the issue here?

jedimastert5y ago

Any website works just fine without TLS. Not necessarily a good point

kgraves5y ago

But is it urgent? doesn't seem like it is though.

There are millions of sites without HTTPS that should have it, why specifically his site / blog?

He isn't thinking about starting a account or a bank on his site is he?

1 more reply

justaj5y ago

I reckon that static sites that don't require JS can stay just fine using HTTP (provided you turn off JS in the browser, which is the best default you should be having anyway)

Please do correct me if I'm wrong, but I think a whole lot of trouble can come if you enable running scripts over unsecured connections. From malicious DOM manipulations to exploiting CPU vulnerabilities. All of this of course if you assume the website you're visiting isn't itself doing malicious things :)

020202025y ago

if there is no sensitive data input(like login) https is just a waste of time. being cool just for sake of being cool is not cool.

tgma5y ago

The opposite take, delivered with humor [need to hide HN referrer]: http://n-gate.com/software/2017/07/12/0/

dvfjsdhgfv5y ago

It makes no sense to provide direct links to n-gate from HN, it will just confuse people. Use this one instead:

https://outline.com/jBgZ3E

MattGaiser5y ago

Why bother? What value would it provide to him?

sfmike5y ago

This is the hacker spirit. Doing something short of the way it's supposed to be done(Not adding SSL), to make another point(I hate overengineering).

j / k navigate · click thread line to collapse

44 comments

ehsankia5y ago

floatingleaf5y ago

Many ISPs are bad these days. They insert or replace javascripts in it is plain http.

I face this problem in India with mainstream ISP.

hexbinencoded5y ago

https://www.theverge.com/2016/3/7/11173010/verizon-supercook...

https://tech.slashdot.org/story/07/07/25/155200/tool-detects...

https://lauren.vortex.com/archive/000337.html

https://www.forbes.com/sites/markgibbs/2013/05/01/cox-commun...

https://www.mattcutts.com/blog/confirmed-isp-modifies-google...

chance_state5y ago

What do they insert? Ads?

shivasuryaOP5y ago

Yes, I’ve experienced it personally while doing my undergrad in india

jgelsey5y ago

Practically, you don't do a cert for your site, you do it to protect visitors to your site getting compromised by a MITM attack.

A site without a cert is basically telling its users "I don't care about you."

dvfjsdhgfv5y ago

derekp75y ago

1 more reply

jgelsey5y ago

Access to the infrastructure is pretty easy - e.g. a WiFi Pineapple is $99. https://shop.hak5.org/products/wifi-pineapple

1 more reply

maxharris5y ago

crcastle5y ago

SSL (well, TLS now) serves three purposes.

1. Ensuring you are getting the information the website author intends for you to get. i.e. data can’t be manipulated in transit.

2. Ensuring the information you are getting is in fact coming from the domain you are requesting it from.

3. Preventing others between you and the website from seeing the information sent back and forth.

I think you questioned the need for TLS here assuming 3 was the only purpose of TLS?

shivasuryaOP5y ago

The intention isn’t about private information. What if essay text is modified in transit/injected with advertisements?

sushshshsh5y ago

Dunno, try it!

1 more reply

dvfjsdhgfv5y ago

The consensus among young devs these days is such a situation would be an abomination, that it's a sign of disrespect towards the visitor and that you should be publicly shamed for this.

ishcheklein5y ago

Agree that website is simple, but it can be promotional on his end- it's good to show best practices. And his website clearly has a lot of traffic, a lot of engineers read it.

coldtea5y ago

>Agree that website is simple, but it can be promotional on his end

If you have enough money, you don't need to promote yourself or impress anyone...

MattGaiser5y ago

Who does he need to impress with his web skills?

shivasuryaOP5y ago

It’s not about impressing but it ensures that it’s safe for everyone and it’s clear that his website gets huge traffic.

1 more reply

jaredsohn5y ago

scripting.com doesn't use https either (went through a list of some older blog sites I could think of but most are https now.)

The following was written years ago, but it is a lot easier to use https now. http://scripting.com/2014/08/08/myBlogDoesntNeedHttps.html

jedimastert5y ago

His main complain is that it costs money, which it no longer does. I think the rest of his argument really falls apart because of that.

amanzi5y ago

I'm surprised by the number of responses in this thread from people not understanding the purpose of HTTPS, even for static sites.

This is a good summary of why you should use HTTPS: https://doesmysiteneedhttps.com/

lmarcos5y ago

> what makes paul stick to old plain website?

It requires no effort to stick with HTTP. Yes, it's not rocket science to use HTTPS, but it requires a non-zero amount of time to enable it. He probably has better things to do with his time.

Besides, it's his personal website... He can do whatever he wants with it.

umvi5y ago

Because it's a hassle, people have limited time and it doesn't appear to provide much value.

difosfor5y ago

kgraves5y ago

His website works fine without it, what's the issue here?

jedimastert5y ago

Any website works just fine without TLS. Not necessarily a good point

kgraves5y ago

But is it urgent? doesn't seem like it is though.

There are millions of sites without HTTPS that should have it, why specifically his site / blog?

He isn't thinking about starting a account or a bank on his site is he?

1 more reply

justaj5y ago

I reckon that static sites that don't require JS can stay just fine using HTTP (provided you turn off JS in the browser, which is the best default you should be having anyway)

020202025y ago

if there is no sensitive data input(like login) https is just a waste of time. being cool just for sake of being cool is not cool.

tgma5y ago

The opposite take, delivered with humor [need to hide HN referrer]: http://n-gate.com/software/2017/07/12/0/

dvfjsdhgfv5y ago

It makes no sense to provide direct links to n-gate from HN, it will just confuse people. Use this one instead:

https://outline.com/jBgZ3E

MattGaiser5y ago

Why bother? What value would it provide to him?

sfmike5y ago

This is the hacker spirit. Doing something short of the way it's supposed to be done(Not adding SSL), to make another point(I hate overengineering).

j / k navigate · click thread line to collapse