sounds kinda like Bryan Lunduke’s arguments against https, “I can’t view it on netscape navigator, and of course properly setting stuff up is UNTHINKABLE”
Right, right, fuck people who are stuck on old systems or have slow satellite internet. It’s not like they’re deserving of any information on the internet, right?
Well, the issue isn’t exactly black and white here. There’s also the problem that many ISPs are none to inject other files (e.g. JavaScript files that do some non-sense) into HTTP sites, but are unable to do so with HTTPS. So it’s not just about user security, but also to ensure the delivered site is not tampered with along the way. Also, the web should be secure by default, not the other way around, so while this does hold back the always shrinking population of old/slow systems, this is the best route forward.
The thing is, though, that jan6’s argument against this seems so much like “hurr duh durr go go progress”. I agree, we should focus on pushing for faster Internet to more people and not hold back for the “lowest common denominators”, but at the same time, we shouldn’t completely ignore them for the sake of progress.
Also, I disagree that the web should be secure by default. The web was never meant to go this far. It was originally intended as a way for people at ARPA to connect between computers across the US. The infrastructure should have been designed security first if that was the goal.
did you even read comments of the original link?
also @“it wasn’t designed to be secure”…totally agree, but just TRY to get another protocol widely accepted…especially a “designed to be secure” one…
the web’s a pretty new place though, it was never meant to be accessible by billions of people either, nor attract the interest of capitalists and need special laws to be created, and such…
I’ve always found this whole “https everywhere” silly. Even when I had a web site with content on it, I didn’t want to pay for a certificate, and for https hosting, and I had no content deserving of being encrypted end-to-end.
And every response to him was “yes you need HTTPS, everyone needs HTTPS”. one person even linked to a site that was exclusively about why absolutely every site in existence needs HTTPS or else!!!!1!11!(one)!1(eleven)!
the easy solution to all of https is to properly use it… just don’t force-redirect to https…
let the browsers default to it, but not by force…
maybe show a little banner that says “we have https for you to use” but no rules that redirect http to https…
also,
The above statement from Seth is not true. With services like Let’s Encrypt. It is no longer a cash grab and provides people with free certificates with key rotation but I digress.
and
the ISPs themselves can execute man-in-the-middle attacks to:
insert their own advertising into your site
collect data on what your readers are viewing, and sell that data to whoever or whatever
censor/block/rewrite parts of your site
The first two are happening already; the third may be. If you’re cool with that, OK. I certainly wouldn’t be. I completely agree that this is a harsh penalty to impose on sites that are relatively static and simple or sites that are run by groups that don’t have the technical ability to implement https.
HTTPS is a solution – not a good one, I’ll grant, but I don’t think we have a better one.
(also I’ve yet to see a single hosting place that DOESN’T support hosting https)
I suppose I should amend my statement to “the modern web should be secure by default”. There’s no way we can un-open the Pandor’a box of people using the web for anything and everything including their kitchen sin. Since everyone is dumping information into it at an ungodly rate, of which includes personal/private information and sensitive information like bank card info, the default should be all this information being secure and encrypted until specified otherwise.
And the only way those without the latest and greatest are being left behind are in services where the vendor doesn’t care, no one has removed HTTP or preventing people from using it, for those who need it it’s there for developers to make light services for. Also, there seems to be new trends in trying to lighten up services anyways with things like this: https://medium.com/@addyosmani/the-cost-of-javascript-in-2018-7d8950fbb5d4
Showing the real-world cost of having sites be bloated and slow.
I still disagree with the idea that any web, modern or in general, should be “secure by default”. There’s no real reason to encrypt, say, a page on my thoughts about some drama somewhere that is inconsequential. Will an ISP attach ads? Do I care? It’s just something inconsequential about some drama. If an ISP wants to make money off it so be it.
Also, one thing that rubbed me the wrong was about your previous comment was the implication that the class of people with outdated tech is “always shrinking”:
…while this does hold back the always shrinking population of old/slow systems…
In a system where tech is always advancing, doesn’t it make more sense for the population of old and slow systems to grow, rather than shrink? For example, I have a Motorola Droid Bionic in my room. If something happens to my phone I may have to use it as a daily driver. It’s really slow. Now imagine people who don’t have or can’t get upgraded tech. Do we leave them behind for the sake of the “greater good”?
What I meant my an always shrinking of slow/old systems is systems right now that cannot load sites quickly. While many don’t like to acknowledge it, the Moore’s law is reaching a theoretically plateau with the issue of 10nm being too small to make accurate processors that are faster and continue to shrink in that direction. So even moving forward, all future devices should be able to handle rendering sites quickly, and older/slower systems are always breaking and being replaced (I.e. shrinking in population).
When I say secure should be the default, I mean that people should assume they’re putting HTTPS into their product rather than adding it later upon realizing that security is important at that layer, not that everyone should blindly follow that idea for sites like a blog.
I’m getting the idea the author doesn’t know how to set up a https caching server, properly.
It also requires a MITM CA that lets your cache pretend to be the other server.
Service workers are a good work-around though.
Still a pain in the butt
No doubt. Managing an internal ca is a pain.
sounds kinda like Bryan Lunduke’s arguments against https, “I can’t view it on netscape navigator, and of course properly setting stuff up is UNTHINKABLE”
Right, right, fuck people who are stuck on old systems or have slow satellite internet. It’s not like they’re deserving of any information on the internet, right?
Well, the issue isn’t exactly black and white here. There’s also the problem that many ISPs are none to inject other files (e.g. JavaScript files that do some non-sense) into HTTP sites, but are unable to do so with HTTPS. So it’s not just about user security, but also to ensure the delivered site is not tampered with along the way. Also, the web should be secure by default, not the other way around, so while this does hold back the always shrinking population of old/slow systems, this is the best route forward.
The real answer is to push for faster Internet to be available to users, not to hold back the progress of the Internet for the lowest common denominators. Which, is something we might be seeing in the near future: https://www.fcc.gov/document/fcc-authorizes-spacex-provide-broadband-satellite-services
The thing is, though, that jan6’s argument against this seems so much like “hurr duh durr go go progress”. I agree, we should focus on pushing for faster Internet to more people and not hold back for the “lowest common denominators”, but at the same time, we shouldn’t completely ignore them for the sake of progress.
Also, I disagree that the web should be secure by default. The web was never meant to go this far. It was originally intended as a way for people at ARPA to connect between computers across the US. The infrastructure should have been designed security first if that was the goal.
did you even read comments of the original link?
also @“it wasn’t designed to be secure”…totally agree, but just TRY to get another protocol widely accepted…especially a “designed to be secure” one… the web’s a pretty new place though, it was never meant to be accessible by billions of people either, nor attract the interest of capitalists and need special laws to be created, and such…
I did, did you?
One guy stated:
And every response to him was “yes you need HTTPS, everyone needs HTTPS”. one person even linked to a site that was exclusively about why absolutely every site in existence needs HTTPS or else!!!!1!11!(one)!1(eleven)!
the easy solution to all of https is to properly use it…
just don’t force-redirect to https…
let the browsers default to it, but not by force… maybe show a little banner that says “we have https for you to use” but no rules that redirect http to https… also,
and
(also I’ve yet to see a single hosting place that DOESN’T support hosting https)
I suppose I should amend my statement to “the modern web should be secure by default”. There’s no way we can un-open the Pandor’a box of people using the web for anything and everything including their kitchen sin. Since everyone is dumping information into it at an ungodly rate, of which includes personal/private information and sensitive information like bank card info, the default should be all this information being secure and encrypted until specified otherwise.
And the only way those without the latest and greatest are being left behind are in services where the vendor doesn’t care, no one has removed HTTP or preventing people from using it, for those who need it it’s there for developers to make light services for. Also, there seems to be new trends in trying to lighten up services anyways with things like this: https://medium.com/@addyosmani/the-cost-of-javascript-in-2018-7d8950fbb5d4 Showing the real-world cost of having sites be bloated and slow.
I still disagree with the idea that any web, modern or in general, should be “secure by default”. There’s no real reason to encrypt, say, a page on my thoughts about some drama somewhere that is inconsequential. Will an ISP attach ads? Do I care? It’s just something inconsequential about some drama. If an ISP wants to make money off it so be it.
Also, one thing that rubbed me the wrong was about your previous comment was the implication that the class of people with outdated tech is “always shrinking”:
In a system where tech is always advancing, doesn’t it make more sense for the population of old and slow systems to grow, rather than shrink? For example, I have a Motorola Droid Bionic in my room. If something happens to my phone I may have to use it as a daily driver. It’s really slow. Now imagine people who don’t have or can’t get upgraded tech. Do we leave them behind for the sake of the “greater good”?
What I meant my an always shrinking of slow/old systems is systems right now that cannot load sites quickly. While many don’t like to acknowledge it, the Moore’s law is reaching a theoretically plateau with the issue of 10nm being too small to make accurate processors that are faster and continue to shrink in that direction. So even moving forward, all future devices should be able to handle rendering sites quickly, and older/slower systems are always breaking and being replaced (I.e. shrinking in population).
When I say secure should be the default, I mean that people should assume they’re putting HTTPS into their product rather than adding it later upon realizing that security is important at that layer, not that everyone should blindly follow that idea for sites like a blog.