Slashdot Mirror
Is Google's Promotion of HTTPS Misguided? (this.how)
Long-time software guru Dave Winer is criticizing Google's plans to deprecate HTTP (by, for example, penalizing sites that use HTTP instead of HTTPS in search results and flagging them as "insecure" in Chrome). Winer writes:
A lot of the web consists of archives. Files put in places that no one maintains. They just work. There's no one there to do the work that Google wants all sites to do. And some people have large numbers of domains and sub-domains hosted on all kinds of software Google never thought about. Places where the work required to convert wouldn't be justified by the possible benefit. The reason there's so much diversity is that the web is an open thing, it was never owned....
If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
If Google succeeds, it will make a lot of the web's history inaccessible. People put stuff on the web precisely so it would be preserved over time. That's why it's important that no one has the power to change what the web is. It's like a massive book burning, at a much bigger scale than ever done before.
"Many of these sites don't collect user data or provide user interaction," adds Slashdot reader saccade.com, "so the 'risks' of not using HTTPS are irrelevant." And Winer summarizes his position in three points.
- The web is an open platform, not a corporate platform.
- It is defined by its stability. 25-plus years and it's still going strong.
- Google is a guest on the web, as we all are. Guests don't make the rules.
"The web is a social agreement not to break things," Winer writes. "It's served us for 25 years. I don't want to give it up because a bunch of nerds at Google think they know best."
Google is never going to make Chrome unable to access HTTP sites. If for no other reason than because the moment they did, they know everybody would switch to a different browser. They're not in the business of making information inaccessible. Their strategy of giving preference to HTTPS sites is perfectly reasonable though, all the more reasonable because of the fact that HTTP sites are generally old and unmaintained. I want old data to show up in my search results, but I rarely want it to show up first.
This space intentionally left blank
HTTPS doesn't require much at all. This writer's observations aren't very good. The https everywhere movement is a bare-minimum. We once were foolish enough to trust others on the web; the concept of zero-trust is where we are today, and for good, even outstanding reasons. That Google champions it is fine, even though Google is a corral of skunks, in my opinion, perhaps the worst robbers of privacy on the net.
In this case, however, https is absolutely the right direction, and twenty-five years of ostensible trust is more than naive, it's freaking treacherous out there, even for hackers with half a brain.
---- Teach Peace. It's Cheaper Than War.
Downloading executable files, downloading risky file extensions (doc, pdf), and downloading any document where integrity matters means that http is a risk. If someone downloads some old games from an HTTP archive, malware could be added. If someone downloads some PDFs with an outdated reader, there could be malware. If someone downloads some forms they're going to fill out later, changing the location they're supposed to be emailed/faxed/whatever means someone could give out PII or financial information. If someone is reading old news stories, changing the content of those stories to suit an attackers narrative could be very valuable. Just because the author can't imagine the security implications, doesn't mean organized crime, bored hackers, or nation state actors aren't thinking about it.
It's meant to secure the web. Two reasons:
1. Privacy, so that ISP's and other companies don't get to record which old files you access and when
2. So that a guy who sits next to you in a coffee shop with an infected laptop doesn't get to do a man-in-the middle attack when you go to access your old favorite version of minesweeper, and infect you
What would Google have to gain from pushing the web to https?
Legacy shouldn't hold us back. That's a sure way to make sure you stop progressing. Old sites not working anymore because they're not really maintained is not a good reason to try and stop progress.
We should instead just make sure we move forward in a way that makes sense from a technological and convenience point of view.
diegoT
But my sympathy has limits. In this day and age it's irresponsible to leave old, unmaintained stuff on the web.
These days the entire net is constantly being scanned for stuff like buggy SSH versions, exploitable wordpress instances and a myriad other bugs. If you're leaving your old stuff completely unmaintained it's pretty much guaranteed that somebody will break into that box sooner or later, and then use it for some nefarious purpose.
The age where you could just set up a box in the closet, use it to serve a page about your cat, and then forget about it is sadly long over. These days if you're not paying attention, installing updates and keeping up with what's going on with it you'll end up serving trojans, sending spam, or being a member of a botnet, if not something worse.
If you don't have the time to go to letsencrypt.org, get a free cert, and tell Apache to use it, you shouldn't be running that server.
How's that been doing recently? Especially with the current US administration?
It's an opportunity to educate people. Clearly there is web content Google doesn't want people to have access to. Stuff that they can't monetize at all, because it's just out there because somebody put it there and told an httpd to deliver to anybody who connects. That is apparantly BAD now.
An opportunity for other search tools and agents of communication to grow and thrive.
once the web is entirely encrypted, google will push their closed-source binary vision of it, where content is pre-compiled and/or pre-rendered (with optional drm) before delivery to the browser.. encrypted and binary = harder to block their fucking ads (aka their revenue stream).
Except that the rules for HTTPS have changed at least 3 or 4 times, and recently. First keys weren't long enough. Then SSL wasn't good enough. Then TLS 1.0 is broken.
Managing ssl.conf across a few dozen servers has taken a fair amount of man hours at my organization in the last couple years-- and we have configuration management tools.
And all of this is to protect the transmission of unrestricted, publicly accessible information.
Do we really need https to display wikipedia? To see today's headlines on CNN? To read slashdot? Does the wayback machine of publicly viewable web pages need to be encrypted during transmission?
A large percentage of the web doesn't need to be encrypted during transmission.
https does not require user/password, the trust is established based on the user cert store and the signer of the web sites certificate. If the web site cert is signed by a trusted source (Cert Store) then it will establish a secure connection.
I use Bing exclusively. Other than Android and Google Groups substituting for the old Usenet, I sort of forget that Google exists at all.
A lot of what is being said doesn't make any sense.
If the web is an open platform, then anyone is free to make any rules they want. And you are free not to follow them.
To answer your questions: yes. It needs to be default. Users, civilians, need to know when a web page is sending info across a network that's unencrypted, e.g. as plain text. They don't know the implications.
It would be a wonderful world if key management was simple, and it can be. CASB apps make it simple.
Wait until you find wire-sniffing apps inside your (expletives deleted) routers, or someone that's programmed a router port mirror to a tor listener. Security isn't that tough, but it eludes thousands of organizations. Look at this weeks, largest-ever breach in Florida, where most all of the living population of the United States had their names, addresses, and a few other juicy fields snarfed because of stupidity. The basics should include TLS 1.3.
Yes it changes. Anything valuable still requires paying attention to it. Civilians are clueless, and it's up to the responsible ones to do the job. So we do it. LetsCrypt is an easy method to get a cert and use it. I'm still unsatisfied that WPA3 is worth it, but I like how it works at a glance. In the real world, much stuff is broken and vendors are stupid and in it for this quarter's model, and this quarter's report to Wall Street and little else. Raising the standard from plain text to encrypted is an important step.
---- Teach Peace. It's Cheaper Than War.
Your voice isnâ(TM)t worthy for Google to surface it in search results. Or if a corporation wonâ(TM)t advertize. With Google if it accepts selected dis-approved certificate Authorities then all we need is anyone with cash to buy a certicate Authority and Google will give them a veto power over Internet content? QED!
"Knowing everything doesn't help..."
I'm travelling through Indonesia at the moment.
My phone's ISP is intercepting HTTP traffic and changing the content, injecting inline adverts.
What's your ISP doing to your traffic?
It's fine to prefer https when available, but there should be a way to say: this site really is intentionally https, and not have it flagged as having cooties.
Google's response to many inqueries is typically, "We're just a search engine". People type something in, and they show them the results. But, they're a very evil search engine because they're penalizing and even censoring search results.
"HTTPS doesn't require much at all"
But it is not without cost. It takes more power if nothing else.
I think the issue is why punish sites that do not use HTTPS if they have no reason to use HTTPS?
Why do I need to use HTTPS on a website I create that is totally public, offers not login/forums, and takes no payments. Maybe a site dedicated to building Control Line airplanes?
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
LetsCrypt is an easy method to get a cert and use it.
Unless you're trying to obtain a certificate for the administration interface of an internal device on your home LAN, such as a router, printer, or NAS. Then you have to not only use Let's Encrypt but also buy a domain. If you try to use Let's Encrypt with a free subdomain owned by a dynamic DNS provider, you're likely to hit the weekly rate limit for the registered domain under which your subdomain was issued. Or have the major dynamic DNS providers completed the Public Suffix List add process for all their subdomains yet?
I shouldn't have to get a cert to pop up a website, period. The fact that people like you think we should is foolish, stupid and a road to hell.
Good-bye
" Civilians are clueless, and it's up to the responsible ones to do the job. So we do it."
You are a fucking fool.
Good-bye
I sort of forget that Google exists at all.
Last I checked, Microsoft didn't operate a video hosting service comparable to Google's YouTube. So what video hosting might a Google-free family use?
Why do I need to use HTTPS on a website I create that is totally public, offers not login/forums, and takes no payments. Maybe a site dedicated to building Control Line airplanes?
Two reasons: So that the ISP can't modify the page in transit to include advertisements or other unwanted elements, which Comcast has been caught doing. Also so that the ISP can't use the URL paths that their subscribers visit to build interest profiles on their subscribers. With HTTPS, the man in the middle sees only the hostname (e.g. "tech.slashdot.org", not the path ("/comments.pl?sid=12295934&cid=56872990").
Without a cert, how can your subscribers be certain that their ISP isn't tampering with the connection? Comcast has been caught injecting advertisement display scripts.
It is not misguided at all. Google wants a monopoly. They don't want any other company to have the ability to monitor what users are doing. Forcing https achieves this goal.
Add your organization (home) certificate signer to your root CA store.
I was under the impression that smartphone and smartphone-derived tablet operating systems made it difficult and/or annoying to add a root CA. How would you get the CA's root certificate onto a device in the first place if it can't read a flash drive? In addition, which graphical frontend to OpenSSL would less-technical users be using to operate this root CA, such as to issue a certificate before uploading it to the router or printer?
Plenty of people the world over cannot access large parts of the web because their governments censor it. That's the status quo. Creating technology that is privacy focused is key to making a web that really is open. In addition to thwarting less capable actors, it puts state actors in the awkward place of either having to embrace the tech, or be left vulnerable and outdated as the free world moves ahead.
When things get complex, multiply by the complex conjugate.
Try this:
1. Create a private certificate authority (CA) for your caching proxy. (If you're technical enough to operate a substantial proxy, you're probably technical enough to learn to use OpenSSL.)
2. Distribute this CA's root certificate to the users of your proxy to add to the trusted certificate store in each browser on each operating system on each device that each user uses.
3. For each website that a user of your proxy visits, automatically issue a certificate signed by your proxy's CA, and use that to man-in-the-middle the connections.
I was on the side that agreed with your statement.. But then I thought about it for a while... non HTTPS traffic (plain HTTP) can be modified in-stream. I think it was Comcast that was caught injecting ads into HTTP traffic a few years ago. You cannot do that with HTTPS. Do you want your ISP injecting or modifing the webpages you are trying to read? Besides, nothing prevents anyone from having two or three browsers.. If chrome isn't cutting it for you, there's always alternatives.
So.. maybe a position reevaluation is in order?
Bullshit.
That is not possible unless you are using a proxy they set up. You cannot inject ads into an HTTPS stream. Modifying any bits will cause the decryption to fail.
what the fuck does voting for Trump have anything to do with that moron's statement?
Is allow the http site content to be displayed but not allow any scripts to run.
Keeps the ads safe down to your computer.
No other party can go looking at other ads to that secure user.
Ensures only approved ads get seen as approved ads are protected by HTTPS.
Ads sent by HTTPS are accepted by that user as they have to have HTTPS to see the site, use the service.
HTTPS is a secure lock but in the way ads are now locked into a site, service.
Trust a site for HTTPS and trust their HTTPS ads.
Security services and police, mil are not unhappy about VPN, HTTPS crypto use so thats not a change.
Domestic spying is now "Benign Information Gathering"
So, If some country is hellbent on injecting adverts into every http website; What would stop them from injecting adverts into every https session?
HTTPS?
I was at first going to (try to) be sarcastic and just post the above all on it's own, but maybe there are those out there that don't actually know that the function of the HTTPS protocol is to prevent exactly that. HTTPS ensures that that the browser can have confidence that it is talking to the correct web server on the other end, and that nothing on the network between the browser and the web server can see or alter the information as it goes across the network. In cases where someone tries to alter content (inject advertisements) or send you to a fake website, the browser will warn you that the certificates don't validate.
I suppose if the country had an extreme level of control to the point that they could control what browser you used and what the trusted set of root certificate authorities were configured in the browser and if they could force the ISPs to perform man in the middle attacks, it could happen, but it would take an extreme level of state control.
The EU could have approved content laws. Then approved EU HTTPS is the only result found and the service that can be connected to?
Domestic spying is now "Benign Information Gathering"
HTTPS Everywhere is 100% about ending unregistered user of the internet. It is censorship at its most beautiful. Without it, anyone with s public facing IP, hell anyone with as public facing socket can publish on the internet. HTTPS Everywhere is about fixing that freedom, about making sure googled knows exactly who is publishing what.
Vimeo?
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Certainly are free through places like letsencrypt. Though they're only good for 3 months. If it takes your engineers more than an hour every 3 months to maintain the cers on all those domains, perhaps you need to find better engineers
If your engineers are manually renewing your certificates every 3 months then you also need to find better engineers. The whole reason let's encrypt uses short expiration dates is so that people will automate it. They could easily do a year or longer but then people get lazy and just manually do it.
It's not like anyone else can code a web browser or a search engine right? Maybe even a special search engine just for old HTTP sites? As time goes by, old search results are likely to be less accurate and not be rendered properly in modern browsers. Might as well use a correct tool for the job, like you would use DOSBox instead of Windows 10 command prompt to run old games.
Two reasons: So that the ISP can't modify the page in transit to include advertisements or other unwanted elements, which Comcast has been caught doing. Also so that the ISP can't use the URL paths that their subscribers visit to build interest profiles on their subscribers. With HTTPS, the man in the middle sees only the hostname (e.g. "tech.slashdot.org", not the path ("/comments.pl?sid=12295934&cid=56872990").
Those two reasons are really both part of the same real reason: So google can reduce competition. Google wants to hamper other companies ability to build interest profiles and sell advertising.
SEOs will thank Google. Now, you won't be able to see any keyword data at all Unless of course you pay for AdWor^H^H^H Google Ads
Out of curiosity in case what you say is true, is it possible for the ISP to receive an HTTPS request and return it within one piece of a frame with such a notification sitting in another piece of the frame?
-=This sig has nothing to do with my comment. Move along now=-
HTTPS doesn't require much at all.
Try running it on a $10 microcontroller.
And why are they called rockets when they are guided?
What makes you think they should be called something else? A rocket is basically anything that is self-propelled using a rocket engine. Some sources claim that a missile is always guided. However, many other sources that state that missiles can be guided or unguided, and given the prevalence of the term "guided missile", I tend to agree with the latter. Note also that a missile does not necessarily have to be rocket-powered, and that there's plenty of examples of the payload launched from a catapult, trebuchet, sling, etc., being referred to as a missile.
The moral of the story: Never rely on StackExchange as a sole authority; always verify any answers you find there by direct testing or from other trusted sources.
Il n'y a pas de Planet B.
Quite frankly, there is more dangers to insecure connections than whether your data can be intercepted. How about you being fed false data? You connect to http://www.reputablenewssite.c... only to get fed bogus information from your ISP that gets paid to "adjust" the news by someone.
Can't happen? 5 years ago I would've agreed. Today? I don't anymore.
Seriously, today more than ever, being able to actually verify that what you see is actually what you wanted to see is more important than ever.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Come again when you learned how https works. https verifies and authenticates the sender, not the recipient.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Umm... the way https works, probably?
But I'm pretty sure you can explain to us how to inject ads into an encrypted data stream. Better yet, save it and present it at the next Black Hat, I'm pretty sure you get a free ticket and a prime time speaker slot for only mentioning that you might have found a way.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
OOOo spooky. Now nobody will find my site. http://solaria5.fragcube.net/
Oh wait, nobody was finding it anyway...
Strange things are afoot at the Circle-K.
The web isn't the web of 25 years ago, and it's plain FUD to bring up Google or "corporations" in general as trying to manipulate us into something that's not good.
Personally I think the fact Google is both in a position to force this by itself and is leveraging that position is a bad thing regardless of intent. In fact I would argument intent is entirely irrelevant. They could have all the best intentions in the world and it still wouldn't justify means.
What worked 25 years ago for a few nerds doesn't work for the bulk of humanity.
I've always found myself mildly amused of the cross section of people who put up websites or bother to learn enough wiki markup to contribute to Wikipedia. It was never just nerds. A surprisingly diverse crowd were willing and able to do these things and do them decades ago when systems were much less available and harder to use than they are today.
I personally believe the Internet is substantially worse off than it was 25 years ago. Power just keep getting more and more aggregated into the hands of fewer and fewer. Users are now being owned enmasse by corporations in ways that previously only illegitimate underground would dare contemplate.
We need something better. If you're not going to offer it, then don't conflate the efforts of many organizations as "Google's will" to make it sound evil.
What does it matter whether someone is able or willing to offer something better? How does their ability affect the merits of topic at hand?
Sounds to me like someone's admitting that he *wants* to perform on-the-fly content modification. Care to let us know why that might be?
Il n'y a pas de Planet B.
In reality, it is propaganda being fed to them by a cabal of rich evildoers who work behind the scenes to manipulate the country.
Sounds an awful lot like Breitbart and the Koch brothers to me.
Il n'y a pas de Planet B.
Opera allows a user to save a webpage as a PDF file. Maybe it's time to just create webpages as PDF files with checksums, and not have the network fiddleware mash up images and documents.
The only problem with archived files on official archive websites, is that many of the zip files contain viruses and other malware.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
WTF is wiht today's meme of "papers please" trolls on HTTPs websites.
Something that stops the goverenment, the phone company and the hotel WIFI from snooping on your traffic and potentially injecting malicious content is now equivalent to "papers please"? What the ever-living fuck?
If you hate HTTPs so much just blindly accept every single certificate ever and you'll be exactly in the situation you're in right now. I would say there's a browser extension out there to do that but I doubt anyone who has the wherewithal to write such an extension would be stupid enough to believe it was worth doing.
SJW n. One who posts facts.
Currently, HTTPS proves that the site is run by someone with at least average photoshop skills such that they convinced some CA you've never heard of that they are the true proprietors of entity you've never heard of.
I feel more secure already!
"Wait until you find wire-sniffing apps inside your (expletives deleted) routers" Yes, I do quite frequently that, about once a week and we are a micro company. tcpdump is one of the most useful tool to debug firewall, vpn, application level networking issues of my users. Plain text protocols are a great help, and it is not coincidental, that most public protocol is plain text. They can be debugged, I can see what is happening on the wire. Usually even binary protocols contain enough ASCII text for debugging. Unnecessary (expletives deleted) HTTPS makes this impossible.
Have a look at the CAs accepted by your browser. Do you actually trust each and every one of those entities to never issue a cert in error? Have you even heard of most of them?
Sounds to me like someone just wants a decent browser that will actually take "just shut up about the cert and show me the damned page" for an answer.
If Google actually cared about transmission security, they'd implement cert pinning, including for self-signed certs.
If it was actually just about security and identification and not rent seeking, then any cert could be used to sign subdomain certs. If you trust that I am the right and proper owner of example.com, why is it not good enough if I vouch for alpha.example.com?
It seems like it would be easier all around if let's encrypt used longer expiration dates.
Sounds like perhaps it should be possible to get the browser to encrypt without a cert or at least with a self-signed cert.
Compare the cases:
Self signed cert: Joe blow says he's Joe Blow. Sure, anyone might claim that but honestly, I don't actually know him anyway. It might be nice to have pinning so I at least know the guy I'm talking to today is the same one I was talking to yesterday, but in the end, it's string controlled airplanes, not my banking details.
CA signed cert. Great, now I know that the guy who says he's Joe Blow also told a CA (that has no reasonable means to check) that he's Joe Blow. Whoopty! It still might be nice if the browser could let me know the Joe Blow I'm talking to today is or is not the same one I was talking to yesterday.
There are certs where (hopefully) more ID verification happens. If you're doing your banking, you should make sure the cert is one of those. But those cost a lot more amd you won't be getting one of those from Let's Encrypt.
As for rat bastard ISPs, how many people WON'T run a program provided by their ISP to "optimise" their internet experience that also (or only) slips them in as a valid CA for purposes of launching a man in the middle attack? I submit that the people who will not run such a thing are exactly the ones who could handle self-signed certs with pinning and a web of trust.
about HTTPS. You just answered my question. They don't want the ISPs to have the detailed data google has (they still have URLs but no page content) and they can't replace google's ads with their own. Now it makes sense.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Not only is he clueless, he is under the delusion that he is some sort of fucking digital soldier. While there may exist people I might consider a "digital soldier", it sure as fuck isnt slashdot user postbigbang ( 761081 ) that is gullible as fuck anointing certificate authorities the gatekeepers of information, and google the gatekeeper of allowed certificate authorities.
"His name was James Damore."
"HTTPS doesn't require much at all." - It requires maintenance effort and incurs a financial cost. You have to buy certificates and they expire. Yes, there are free certificates like those from Let's Encrypt, but they are cumbersome to use and expire after 3 months. If Google wants everyone to use HTTPS then Google should issue free certificates that expire after a year or two. Google demanding things without doing their part is typical. Aside from that, any site dishing up static content and not collecting any login or other personal information does not need HTTPS.
Two reasons: So that the ISP can't modify the page in transit to include advertisements or other unwanted elements, which Comcast has been caught doing.
You're proposing a technical solution be imposed on everyone, everywhere to fix a problem (lack of competiton allows behaviour customers don't like) with your specific market. How American of you.
(When I worked for an ISP, I was involved in implementing a solution to notify customers when they had reached a usage tier and were being throttled, but we provided them with the ability to opt out of the in-browser notifications if they had email or SMS notifications enabled. The only motivation here was to enhance the customer experience for the large majority of users who didn't know what their usage was or where to view it)
Also so that the ISP can't use the URL paths that their subscribers visit to build interest profiles on their subscribers.
My ISP is subject to local laws, and since I have a contract with them to provide services to me, I have some legal recourse. Also, if I am unhappy with my ISP, I can switch ISPs (or use different ISPs at different times by dialling another PPPoE session).
I am much more concerned about advertising networks like Google and Facebook who collect all our browsing information all the time due to the prevalence of Google analytics, adverts, and like buttons, who cannot be escaped as easily as dialling another PPPoE session.
With HTTPS, the man in the middle sees only the hostname (e.g. "tech.slashdot.org", not the path ("/comments.pl?sid=12295934&cid=56872990").
ISPs typically aren't interested in the difference. And the only reason they are typically interested in the hostname portion of the URL is to understand their customers, and how their customers experience the internet, to improve the experience. At least, in markets where the regulator has required that natural monopolies (e.g. last-mile network operator) provide wholesale services (in our case, layer-3 hand-over) to ISPs at reasonable prices to allow competition.
The fact appears to be that you did not understand, because you got what you want.
You do not need a cert to "pop up a website". No one is requiring that.
When a browser interacts with your website, the UI will now accurately convey to the user the true fact that the contents of this site were not protected for confidentiality or integrity in transport. That is all.
If your website truly does not require either (e.g. bash.org) then leave it as-is.
Third reason: Javascript injection. Let's say you're at the local coffee shop with an unencrypted WiFi connection and you browse some static page from the 90s. Somebody drops in a little bit of Javascript as the page is in transmission. Next thing you know your browser has made a connection to a nasty site that fingerprints it, sends over the latest vulnerabilities for it (since anyone arguing against HTTPS everywhere doesn't exactly keep up on security news), exploits the browser, escapes the sandbox and installs whatever they want on the system. It's all automated and happens instantly.
AKA Drive-by Downloads. https://en.wikipedia.org/wiki/...
Cwm, fjord-bank glyphs vext quiz
Yup, given that expensive general-purpose computers like raspberry pi zero cost half of that.
The raspberry pi zero is not expensive. It's insanely cheap. To see how insanely cheap, try making a list of all the individual components on the pi zero, and add up the cost if you would order them from a normal distributor. Don't forget the PCB.
You can walk into libraries all over the world, pull a book off the shelf, and read it. Nobody maintains it; it just sits there. Some things work that way.
You know there's an entire *profession* dedicated to maintaining it, yeah?
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
In theory, you could configure your web browser to connect to domains hosting financial web applications directly and other sites through the proxy. But I concede that major web browsers lack UI that specifically targets the edge case of selective deliberate use of a caching MITM on the client side of a harshly metered last mile.
Wait until you find wire-sniffing apps inside your (expletives deleted) routers, or someone that's programmed a router port mirror to a tor listener. Security isn't that tough, but it eludes thousands of organizations. Look at this weeks, largest-ever breach in Florida, where most all of the living population of the United States had their names, addresses, and a few other juicy fields snarfed because of stupidity. The basics should include TLS 1.3.
Then you are already fucked. Period. There is nothing stopping the attacker from doing the exact same thing, but easier on your computer, all while being able to read the information in the decrypted form. That means the attacker is already in your network and can chain exploits until they own everything.
Not to mention - why the FUCK would I need HTTPS to view a page that has been sitting around since 1998, is static HTML, likely has no ads plastered all over its face, and contains information on something obscure and random that newer pages don't have anymore? There's no reason for encryption for these older pages. Ever. There is no login information, user credentials, or even scripts being executed. It's fucking HTML, if the browser manage to fuck it up enough to be an exploit maybe, just maybe we should be looking at securing the browser instead of the transfer at that point.
To err is human; effective mayhem requires the root password!
What kind of information is worth being transported but not worth being tampered with and worth being mentioned on Google?
The article mentions policies implemented not only by Google Search but also by Google Chrome. If you read websites through Chrome, then everything you read is "being mentioned on Google" in this sense.
Also, if by "Google" you mean only Search: Wikipedia and the sources it cites. With cleartext HTTP, your ISP can insert patent nonsense into just your view of an article with no help from Wikimedia. But with HTTPS, the ISP would have to publish a revision through Wikimedia's server, where it'd get reverted in a heartbeat.
Most (All?) browsers and caching proxy servers do not save https content to disk.
Citation needed. Google Search for https disk cache returns, as its first result, "HTTPS Disk Cache Controller Browser Extensions" which contradicts your claim: "The default setting in Firefox 4.0 and later, true causes all HTTPS responses to be disk cached unless the server sends the header Cache-Control: no-store." Farther down the first page of results is the Chromium project's documentation of the disk cache mechanism used by Chromium and Google Chrome. Because this document doesn't contain "HTTPS", "secure", or "encrypt", it appears to say nothing about any distinction between cleartext and HTTPS.
Some caching proxies don't save HTTPS content to disk because they don't cache HTTPS at all. The FAQ of the Polipo proxy states that it falls back to a tunnel using the CONNECT method for HTTPS connections. It doesn't support a shared HTTPS cache with a private CA.
Okay. But do you want your ISP to have that information? I'm all for legislation to restrict ISP's from storing any information about your web browsing history. You're paying them for a pipe, not a service in exchange for your info. Come to think of it, that applies to your credit card company and anybody else you do paid business with.
Posted from my Android phone. Oh, I can change this? There, that's better...
You've spent x$ on the blasted thing, surely them providing a "consumerrouter.netgear.com" domain name (or whatever) with valid cert that is served off the router itself should be included with the purchase price
Which conveniently has a not valid after date 12 months after purchase, once the warranty expires. And now that you're putting the onus on device manufacturers, what cert should someone who builds a NAS out of a Raspberry Pi use?
Zero dollars will get you a fully qualified domain from a DynDNS type of service.
If on your first attempt you hit the weekly rate limit for subdomains under a particular dynamic DNS provider, how practical is it to retry at random intervals for upwards of two days, as another Anonymous Coward suggested?
1. Why do you want your printer to show up in Google search results?
The summary mentions not only Search but also Chrome.
2. Do you really want your printer accessible directly over the Internet?
No, but web browsers' enforcement of Secure Contexts policy currently makes no distinction between machines on the LAN and machines on the Internet.
Nobody's suggesting it's a problem Google won't include search results from your router's configuration page.
The summary mentions not only Search but also Chrome. Chrome makes a policy distinction only between localhost and not-localhost, not between your LAN and the Internet. This is because it assumes your LAN could be a coffee shop WLAN, which ought to be untrusted.
The value in tampering with a public domain movie is to insert copyrighted scenes. Then someone who reuses portions of the movie in his own work, thinking it's in the public domain, gets framed for accidental civil copyright infringement. Unlike crimes, torts do not require mens rea (intent, recklessness, or negligence). Besides, thanks to copyright term extensions, I thought public domain movies were undesirable to the majority of viewers because they are silent and in black and white.
What you're ultimately asking for is some means for signing only, as opposed to encryption. This provides an integrity guarantee but not one of confidentiality. But how would this be integrated into web standards?
Khyber's claim, as I understand it, is one of two things:
A. Charter has misused a certificate to set up a proxy.
B. Charter is imposing a captive portal on past due subscribers, which causes the web browser to make a cleartext HTTP request to retrieve the network's sign-in page.
Public info doesn't require sec? Really, how do you know you are connected to the real site?
In theory, a cipher suite that does signing only and not encryption would allow this. A cipher suite that provides integrity without confidentiality would allow an intermediate proxy on the far side of a harshly metered link to replay the session to viewers behind that link, saving data transfer allowance across that link.
How do you know the info you read is real?
HTTPS does not prevent website operators from publishing fake news.
How do you know someone isn't checking what you read?
Some information, such as the National Weather Service forecast and radar image sequence for the city in which a user is located, is so generic that little information about the user's interests can be gleaned from observing that the user has viewed it. For these, integrity without confidentiality may be warranted. The problem is that current web technology offers no way to provide integrity without confidentiality.
You're proposing a technical solution be imposed on everyone, everywhere to fix a problem (lack of competiton allows behaviour customers don't like) with your specific market. How American of you.
How many visas does your country offer to people who seek asylum from the American regime and have work skills?
You're paying them for a pipe, not a service in exchange for your info.
Then all the ISPs will hike their rates. Those who want a pipe can pay double. Those who want what less technical users are used to would get a 50 percent off discount in exchange for interest gathering and advertisement injection service.
I submit that the people who will not run such a thing are exactly the ones who could handle self-signed certs with pinning and a web of trust.
Bingo. You've found the real reason that governments are making travel more of a hassle. It isn't entirely to prevent terrorism against passengers; it's also to make it less convenient to attend key signing parties. Without attending key signing parties in faraway lands, you can't very well make your public key more densely connected in the global web of trust. You end up trusted on an island within bicycle range (that is, your home city) with some bottleneck keys in all trust paths in and out of the city. These bottleneck keys' owners are the key signing jet set, and they might as well be CAs.
Though the author is right in that the public information itself requires no hiding, the information about my am accessing a particular piece of information may be important...
And then there is the integrity aspect — without something like HTTPS, how do I know,the data has not been tampered with in-flight?
In Soviet Washington the swamp drains you.
Google... developed cert pinning (HPKP) and only after bad operational experience removed it:
https://www.zdnet.com/article/...
As someone most involved in operations, I think you fail to appreciate how hard the basics are. Just try to keep ALL of a reasonably size organization's internet facing thingums patched. I haven't heard of a anyone being successful at that. Software and systems are thought of like consumer goods: you buy them, they have a natural life, and you repair for a while or replace before that gets too costly.
For internet facing services, it's more like fruit. You expect to put fresh fruit out there every week, because no-one is going to buy two month old watermelon. Acquire fresh fruit, qa them for damage, for ripeness, etc... and put them on the shelf, in a day or two. And a week later, you need new fruit.
That's the thing people aren't really grasping. When they contract out development, and they accept delivery from something. A week later, they either have support or it starts going bad and needs to be thrown out within a few months. You can't really buy software, or it's a really bad deal if you do, because a *perpetual license* is good for a week or two.
Patching is hard.
That's because they did it wrong. The big mistake was having the browser refuse to do as it was told rather than just providing informative messages. The second was depending on the site operator's instructiopns rather than just remembering the cert it saw before as a matter of course.
Perhaps they're losing their edge.
Security isn't that tough, but it eludes thousands of organizations.
It's not something I can say I've thought deeply on, but I think I want to disagree with such a statement.
For starters, vigilance is not easy.
Why do I need to care about these things? Not my problem.
For every problem, there is at least one solution that is simple, neat, and wrong.
Think of the children's...energy prices. All that unnecessary encrypting costs electricity, times billions of pages per day.
Sloth is easily rewarded. Read about the weekly breaches if you had any questions. We're losing the war. And make no mistake about it: it's a war.
---- Teach Peace. It's Cheaper Than War.
Well, it does tend to guarantee that what I receive on my end is in fact the same as what was transmitted by the server, no?
If I'm misunderstanding anything, feel free to educate me.
Il n'y a pas de Planet B.
Web of trust also means that If I trust example.com, I have every reason to place just as much trust in it signing a.example,com. No need to travel cross country for the 184th Buggy Whip manufacturer's Association of America convention.
Dave Winer seems to think this is a Google thing. In point of fact, HTTPS Everywhere is sponsored by the EFF and Tor. And Let's Encrypt is run by an umbrella organization whose members include the EFF and Mozilla as well as Google, Cisco, and Akamai.
I don't have much trust for Google, but I do have a lot more trust for the EFF than I do for some random software developer. Even if he's old. I'm sure Winer is well-intentioned (given his history), but he doesn't seem to have done his research very well, in this case.
The EFF's reasons for supporting https are a lot stronger than Winer seems to realize. Google's reasons, I can't address, since I'm not familiar with them, but the EFF's arguments are pretty strong. MITM attacks at the government actor level are not just hypothetical.
From the EFF's page:
Content injection is when someone adds data or code to your communications with an HTTP web page. For example, it's how GCHQ and NSA took over a Belgian ISP's computers. Content injection is also how China took down GitHub with a massive DDoS attack, dubbed "The Great Cannon". Content injection is also becoming popular with ISPs. Verizon injected tracking headers into every request made by their customers. And Comcast injects pop-ups into sites where they don't belong. All of these attacks can be stopped by HTTPS, provided it is implemented and made default on enough sites.
Now, I admit there are still some questions which aren't as frequently discussed as they should be, such as private LANs where https isn't an option. (I have http services running on such a LAN myself.) But that can be dealt with. For IP4, it's fairly easy--whitelist private ranges. For IP6, you'd have to have a way of designating your trusted network. But it can be dealt with. And the public Internet should be encrypted. Anyone who argues otherwise is simply clueless. (Or culpable.)
Whoooooooshsh...
Il n'y a pas de Planet B.
It will certainly help Google sell certificates ...
How will it do that when the Internet Security Research Group (which is backed by the EFF among others--including, yes, Google) is giving them away for free?
The problem here is the assumption (which Winer got from God-only-knows where) that Google is the one behind the drive to use https, when, in fact, the EFF and Tor are major backers of the push. And, while I don't trust Google as far as I could throw them, I trust the EFF and Tor a lot more than I trust this Winer guy.
Google still has it, so it doesn't make any difference to me which mega corporation has it. Besides, I've said this before on this forum but I'm just not that worried about my privacy. I'm lower working class (I'd be doing better but my family has a lot of health problems and being American it's constantly crushing me financially). Privacy is mostly an upper middle class concern. In my income bracket I'm more worried about having basic needs met.
The way I see it is this: The ultra wealthy want to invade my privacy so they can use that information to oppress me. But the only reason they're bothering to oppress me is so they can take all the money for themselves. If we had a society where we didn't let them do that and didn't give them so much money that it truns into power I wouldn't care if they knew what web sites I browsed. In other words, if I had guaranteed access to food, shelter, healthcare, education then they wouldn't have any leverage to oppress me.
That's what true freedom really is. It's when nobody has any leverage over you. It's why I'm a Democratic Socialist. Nobody Should be too Poor to Live. And nobody should get to decide who lives and who dies.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
You can whooosh all you want, but the fact that a $5 pi zero runs linux. openssl and apache, doesn't mean a $10 microcontroller with 1MB of flash and 128kB of RAM can do the same thing. And there are plenty of good reasons to use a $10 microcontroller over a $5 pi.
Web of trust also means that If I trust example.com, I have every reason to place just as much trust in it signing a.example,com.
The next question is how you came to trust example.com in the first place. Is it that you trust com? If so, you've reinvented DANE, and the reason DANE hasn't taken off is registrars dragging their behinds on adding DNSSEC to the zone hosting bundled with a domain name.
I'm at a loss as to why you replied to a nonsensical comment about Japanese rockets with actual useful information. I'm also at a loss as to why I'm even bringing it up.
Do you enjoy ads for something you already bought following you around the web? Do you enjoy having your phone's, tablet's, or laptop's battery drained, or the electric bill for use of your desktop increased, by Monero cryptocurrency mining scripts that third parties inject into HTML documents that you view?
Much like one comes to trust anything. First tentatively and in matters of little consequence, then moreso over time. Trust is a funny thing.
Consider, for some reason, Smiling Sam gets his online used car dealership the highest level of verified cert. So I can absolutely trust that the site really is ..... created by someone I know absolutely nothing about. OTOH, some student creates a page with a few useful formulas and tables on it and self-signs. I look it over and see that the ones I remembert he has correct. I trust him more than I trust Sam. I trust his signature on his friend's site more than I trust Dam's signature on a mechanic who will happily certify that Sam's cars are the best.
What I really need from most certs is assurance that the site I'm seeing today is the same one that slowly earned my trust over time. Or if it's a new cert, that someone who has earned my trust over time can verify that the site is the same one I have come to trust.
The CA's are really sort of a last resort since they boil down to "someone I have never heard of says someone else I have never heard of told them that his name is Joe Blow. Is that REALLY stronger assurance than a stranger walking up and saying "Hi, I'm Joe Blow"?
Back in the mid '90s, when https and Certs were just starting to be promoted, I talked to a Verisign rep at a show. He actually told me that I can trust the identity of any website with a cert because they contractually agreed to not lie when Verisign issued the cert. Because crooks never dare violate the terms of an unsigned contract.
As a content provider, that's not my business.
And as a consumer, I use lots of ad-blockers and similar, because I visit a lot of sites where I don't even trust the content provider not to do that stuff.
And as someone who once worked at a VPN-as-a-service company, I know that there are ways to, with the user's permission usually, inject root certificates to all for content injection into HTTPS, and also that even outside of this, most sites don't contract with advertisers directly; they use ad networks and most of those have very poor quality controls; even now fairly often when I browse the internet on my phone I get that take-over-your-phone ad content.
That ship has sailed; these concerns are only valid for a world we're no longer in, and mandating https never really helped with this much anyway.
For every problem, there is at least one solution that is simple, neat, and wrong.
Don't forget to mention; non-HTTPS enabled sites simply won't be displayed in Chrome or Safari.
Firefox FTW
Forcing every site to get a cert only creates a certification industry.
No sig for you! Come back one year!
This is really an argument about externalities, costs shoved off to society, instead of being paid for up front. There are costs to HTTPS, and a great deal of technical debt would be incurred in forcing older sites to deploy it. HTTPS is a set of trade offs, one of which involves centralizing trust (and thus the ability to censor) in the top level certification sites. Using HTTPS also prohibits the development of other options, any of which may actually be far superior, in other words, premature optimization.
There's no really good reason to force old web sites to change everything for your latest version of security kool-aid, and again in 6 months, and again in 6 months, ad hoc, ad nauseum. It won't actually do much good, and as stated above, does much harm by potentially removing history.
Grow up, kids.... HTTPS is like beta software... it's not done yet. Get back to me in when it hasn't undergone a revision in at least 5 years.
God forbid anyone type in a verbose URL or use a different search engine. I get around the internet just fine without using Google services.
That said, yes, securing your connection to websites is a great idea. Sometimes giant corporations actually do have good intentions.
Specwise, you're right.
Effectively, it is, though.
Until you can cook your own certificate up and the browser won't shit itself and fall in it and then pull the user in afterwards screaming about risk when they get the FrightDialog(tm) shoved in their face, HTTPS will remain more of a money-grubbing scam than a usable option for anyone not doing e-commerce or secret data collection.
And no, let's encrypt's time-limited certs are not a good solution.
I've fallen off your lawn, and I can't get up.
It seems like it would be easier all around if let's encrypt used longer expiration dates.
Let's Encrypt disagrees. They actually plan on making it shorter once people get used to automation: https://letsencrypt.org/2015/1...
and google the gatekeeper of allowed certificate authorities.
Why is, of course, the real reason that they're so keen on this. Google have been trying to control the web for years, and this is just another step in their wider strategy.
I have a few web based apps that can't use the automated method. Their dhort expiration convinced me to just self sign a cert and call it good.
The fact that the thing will turn on in under a microsecond being far from the least of them. The fact that it can lose power at any point without ever becoming unbootable, is another. The fact that it doesn't run an OS is also a welcome relief. The fact that it can actually run without drawing 2 amps, and is thus practical to run on a battery is invaluable. It'll also have proper low-power modes, which will draw microamps or less.
For an actual product that you wanted to ship, the RPi is a non-starter.
like Internet. They have to worry about government regulation if they raise the price too high. Or at least they used to. With the current administration I don't think that's the case. I know my bill's gone up $20 in the last 6 months and it'll jump another $40 by the end of the year (assuming I want the same tier service I have now).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
So, I used to work at Google. And my goal was HTTPS across all of www.google.com, which... was a task, and not one that I did solo, by any stretch of the imagination. I've worked in industry for 20+ years. I've never been more proud to work on a project.
As far as "there's tons of unmaintained content out there", I'm... not entirely convinced; that feels like saying something that should be true, but just isn't. Bandwidth costs money, so if you've got a machine serving any amount of content... someone's paying for that machine. Do you have examples or data backing up the claim of the tons of unmaintained stuff?
My personal website has been around since 1998. I provide/share information on topics that interest me. I have never served ads or collected personal information (logging is not turned on at my website). I can enter search terms on Google and use "I'm Feeling Lucky" to find my website. But now Google is going to downgrade me since I don't use HTTPS, so they can have exclusive access to search results to access my website information. WTF? Not all the information on the web needs to be encrypted.
YES, the entire web needs to be encrypted. Why? Because a hostile government (or any other bad actor) can compile a dossier on you based on the sites you visit.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
"HTTPS doesn't require much at all." - It requires maintenance effort and incurs a financial cost. You have to buy certificates and they expire. Yes, there are free certificates like those from Let's Encrypt, but they are cumbersome to use and expire after 3 months.
I switched my certs from a commercial CA to Let's Encrypt, and maintenance effort has gone down. With my previous CA, every two years, I'd have to go to the CA's website, put in credit card information, upload CSRs, download certificates, etc. With Let's Encrypt, I install a cron job on my webserver that automatically renews the cert without me having to do a thing. Sure, they expire after 3 months, but since I don't have to spend time renewing them, what do I care?
Scenario 1 is plausible but unlikely.
Scenario 2 is exactly the kind of thing HTTPS and modern browsers protect against. When you attempt to visit an HTTPS site, your browser will not just begin fetching unencrypted components. That was mitigated way back in the IE 6 days. Nor will your browser failover from the blocked HTTPS to a working HTTP. Once again, modern browsers do not do that. If anything (in a non proxy situation) gets in between and modifies the HTTPS stream, the stream will fail to decrypt and your browser is going to display a blank page or a warning of some type.
Furthermore, javascript malware exists... If you can penetrate the ISP and begin injecting javascript malware into every active TCP connection on port 80, you could theoretically infect ever single customer (assuming a 0 day exploit). You cannot do this to HTTPS streams. They are immune from modification in transit.
I think you wanted to mod my post "Communism and white genocide is awesome!"
Because, you know... The fact data are removed from social media, or rather all the most used and seen communication paths whatsoever _IS_ destroying much more data than simply "demanding" HTTPS and as far as consequences goes exactly the same problem.
That you don't like the data, information and opinions which are removed doesn't change that and don't make it "off-topic" when speaking of what's the equivalent of modern day book burning of data / electronic communication and information sharing.
A large percentage of the web doesn't need to be encrypted during transmission.
It's not up to the person sending the information to decide if the person receiving it could be persecuted for doing so.
why the FUCK would I need HTTPS to view a page that has been sitting around since 1998, is static HTML, likely has no ads plastered all over its face, and contains information on something obscure and random that newer pages don't have anymore?
Since when does any of the above determine how sensitive the content may be?
Interestingly you've described a good portion of websites which may or may not be hosting copies of the Anarchist's Cookbook, the possession and accessing which has come up in court cases in the past.
It's not up to the content provider to determine what you are being persecuted for accessing. Not everything is about logins and bitcoins.
I also own my own domain for my business. It's is not HTTPS either.... why? Because it's a static information page that gives info on me and my business, what I do and how to get in touch with me and some samples of my work. There are no logins, no user accounts, no private information being stored or asked for. There is absolutely ZERO reasons for me to deal with the hassle of setting up and maintaining
I thought of more than three reasons:
1. Prevent MITM from injecting a Monero mining script into samples of your work
2. Prevent MITM from injecting intrusive tracking for delivery of interest-based advertisements into samples of your work
3. Prevent MITM from injecting a redirect to some madarchod's tech support scam in India into samples of your work
4. Prevent MITM from injecting drive-by downloads of ransomware into samples of your work
Obtaining a Cert every 6 months and having my hosting provider install it for me (since I can't myself, due to the need to have root privileges on the server)
File a support ticket with your hosting provider to offer you an API with which to install a certificate. Then you can set up an ACME client to upload a renewed certificate to that API on a cron job. Also search for competing shared hosting providers that do offer such an API.
This article is spot on, the public available portal for sites like Slashdot, news, and Wikipedia and many many thousands of other sites is not required.
For news, it's becoming increasingly common to have to log in as site after site goes behind a paywall due to falling advertisement revenue.
Scenario 2 is exactly the kind of thing HTTPS and modern browsers protect against. When you attempt to visit an HTTPS site, your browser will not just begin fetching unencrypted components.
That used to be the case. It has since changed with the introduction of captive portal detection in the major web browsers. If a web browser gets a certificate error, it will try fetching something over cleartext HTTP like example.com. If that turns out to be MITM'd, the web browser will assume that you're on a network that requires all users to sign in, such as a coffee-shop LAN, and open the sign-in page in a new window.
Absolutely agree. Notwithstanding the environmental effects of requiring (relatively) computationaly expensive cryptography too.
Even a self signed cert is better than plaintext especially if its registered with a service like SSL lighthouse. Better yet would be web of trust system where site certs have signatures from businesses & people that they have an actual relationship with rather than some faceless CA nobody has ever heard of.
Maybe the browser should keep quiet unless it is instructed to submit information?
Use-case: The proverbial "little old lady" searches for knitting patterns. Clicks on the link. Whilst it _may_ be a concern that an evil party may insert/replace content, I'm not certain that telling her that the site isn't secure really helps her.
Why would she expect the site to be "secure"? What does it mean to her that the site is deemed "insecure"?
I can see the utility in warning users not to use insecure forms, particularly ones that appear to collect personal information... so search forms don't count, but I think HTTPS everywhere is OTT. It simply doesn't help not least because there's still so many risks even if a site does use HTTPS.
Not to mention - why the FUCK would I need HTTPS to view a page that has been sitting around since 1998, is static HTML, likely has no ads plastered all over its face, and contains information on something obscure and random that newer pages don't have anymore? There's no reason for encryption for these older pages. Ever. There is no login information, user credentials, or even scripts being executed.
Four answers to this question so far, and all of them explain why I as a site owner should want HTTPS. The question is, if I don't want HTTPS - if I've decided the updates have negative ROI - why should I be coerced into using it?
Note that I'm only saying "coerced" instead of "forced" so someone doesn't say, "They're not forcing anything." They're not fording it yet, but I predict in a year Chrome will do the same thing it does today with flagged malware sites and prevent you from accessing them.
Nope, no sig
Because without https, your site becomes a danger to others, since it can be so easily hijacked by a MITM attack. Which is why the EFF (Winer is simply wrong about blaming it on Google) is working so hard to get https adopted everywhere.
Because your ISP injects it own ads into the html.
My Transformation Website
Kindle Books http://www.catprog.org/rev
Interactive CYOA http://www.catprog.org/st
as a programmer that deals with fixed architecture, micro controllers and lower powered hardware, this also worries me. These types of hardware architectures are usually sandboxed from a programming perspective and sometimes run programs written in custom versions of what-ever programming language the manufacture decides. For many of these devices, encryption algorithms in general are a lot of overhead to have to deal with with every network transaction. Not to mention that the tools for these devices on the programming side are usually behind the newest times, and often don't have or support premade frameworks for handling coding implementations that are considered a given on the windows/mac and smartphone side of things Sure the toolsets can improve, and frameworks can be developed/implemented by the manufactures who release the compilers and tools for these microcontrollers, but the processing overhead is still there.
"Scenario 2 is exactly the kind of thing HTTPS and modern browsers protect against."
I think tepples owned your ass enough, so I'll just sit here and add one further thing - the ISP controls your connection and can force all kinds of shit upon you through various manner of trickery. I used to work for IXL Memphis, a dial-up provider, and we'd fuck you left and right no matter what encryption you'd use.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
They wouldn't have to, they can put that page inside a capsule served from their side, with the notice inside that capsule.
Doesn't matter if you're encrypted. They serve you the encrypted page inside of another unencrypted page screaming at you to pay your bill.
But to you, it looks like they directly modified the page.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
That is pretty much what I was trying to say. I haven't dabbled with writing HTML in ages, but I do remember using frames with invisible borders to create margins, static top menus etc. long before CSS was a thing. That's the trick I was expecting was in play here.
-=This sig has nothing to do with my comment. Move along now=-