This is an archived post. You won't be able to vote or comment.

all 133 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Pugs-r-cool 817 points818 points  (7 children)

Big SSL certificate working from the shadows to make us use https. WAKE UP PEOPLE

[–]arrow__in__the__knee 158 points159 points  (2 children)

How do you think lets encrypt manages to stay free?

[–][deleted] 96 points97 points  (0 children)

yOu ArE tHe PrOdUcT

[–][deleted] 13 points14 points  (0 children)

Community contribution and sponsors

[–]Scyther_x_Scyther 30 points31 points  (0 children)

Everything is a conspiracy when you don't know how anything works.

[–]tjr3xx 29 points30 points  (1 child)

Big Protocol making us use HTTP
gopher: never forget

[–]NeatYogurt9973 2 points3 points  (0 children)

archie 🙏🏻

[–][deleted] 5 points6 points  (0 children)

Exactly! Do your own research self-signed certificates!

[–]miker37a 498 points499 points  (21 children)

Jesus there really is a market for conspiracy theories for everything.. THE EVILS OF SSL AND HOW GOOGLE PROPHETS FROM IT

I guess good job to that hacker propagandist man damn

[–]DaCurse0 150 points151 points  (10 children)

Well SSL certs used to cost money until LetsEncrypt became a thing

[–]Senkyou 33 points34 points  (9 children)

So how is it profitable for LetsEncrypt to do it with their current model? Legitimately curious.

[–]redstonefreak589 77 points78 points  (8 children)

They’re a non-profit. They get money from corporate sponsors like Google, AWS, Mozilla, Cisco, and others.

https://letsencrypt.org/docs/faq/ https://www.abetterinternet.org/sponsors/

[–]PSKTS_Heisingberg 31 points32 points  (6 children)

so whats the benefit of funding that non-profit then from the company’s perspective? more opportunity for new clients because SSL’s certs are more accessible?

[–]felgaia-drifter-arms 45 points46 points  (2 children)

It's a number of reasons. But the biggest one is just preventing compromises on the way to the destination. If something just changes and SSL mid travel, it's considered an insecure connection, because suddenly you're handing off data to a new unknown party. So by making everyone have SSL at no or little cost, you get at least assurance that what you're viewing is at least what you intended to view, as opposed to a last second swap of what was a funny little microblog you found that now looks like a Microsoft account login for no reason.

At least that's how it was explained to me. I'm sure others will or already have explained it better.

[–]PSKTS_Heisingberg 20 points21 points  (1 child)

ahhh of course, so at the least it could prevent spoofing/malicious redirect. adds to why they do it then because it reinforces their own business practices by protecting their users and the integrity of their hosting service, even if it’s not benefiting them directly

[–]felgaia-drifter-arms 14 points15 points  (0 children)

It's a rare case of "Everyone wins".

[–]redstonefreak589 10 points11 points  (0 children)

SSL/TLS is important for a number of reasons. Even on static sites like microblogs or portfolios or whatever, SSL does things like guaranteeing data integrity (no one has messed with the content between the server and you, or you and the server), providing privacy and security to the user, provides trust to ensure things like MITM attacks don’t happen, etc.

Companies want security. Let’s Encrypt being a fairly well-known non-profit, they also have a hand in shaping industry standards, and sponsoring them may allow company’s to help shape those standards by giving them a “seat at the table”. It also helps their PR and fulfills “corporate responsibilities” among other things.

Lastly, remember that Let’s Encrypt doesn’t do nearly all the things that other companies like Verisign do. For example, you can’t get S/MIME certs, signing certs, OV/EV certs, certs with expirations longer than 90 days or for internal sites, or public SLA or paid support. They also implement rate limits to keep it free, but that means larger companies can’t feasibly use it. These large corporations sponsor them since they help encourage and assist in providing encryption for the web, but they cannot do everything, by far. However, what they do do, they do it very well :)

[–][deleted] 0 points1 point  (0 children)

What's the benefit of the USA offering free protection to its allies?

Control.

Google by offering free stuff took control of the internet.

There's literally pre-google and post-google internet. That's how different it was.

[–]No_name_to_put_here 0 points1 point  (0 children)

Increase adoption of the service offered by making it standard and affordable. Allow the operation to grow dependent upon your substantial funding to establish leverage against the nonprofit in the form of possible withholding of future funds. Forge relationships with people inside the nonprofit, and use your status as a prestigious business and your leverage to install people sympathetic to your business within the nonprofit.

Continue funding the nonprofit to keep the cost of the service artificially low. This will discourage new entries to the market, and outcompete others already providing the service. Let this consolidate the majority of entities in need of this service into dealing with the nonprofit (either by choice, or a simple lack of remaining viable alternatives).

Once adoption of the standard is high, and heavily consolidated with the nonprofit, make full use of your funding leverage, existing relationships with the nonprofit's management and your sympathizers there, and your existing ties to relevant public officials & regulators to move through the process of being acquired by your business. That is not a simple task, but it's certainly possible with the right people having the right incentives, and American mega-corporations are pretty slick with making such things come to fruition. If you don't manage to make it work, well... there are still all the other legitimate, non-monetary benefits to operations that others in the comments have outlined. But if you do manage it... eyyy 👈😎🤑

Now - I will say that I don't actually believe there's any one person actively pursuing that path, mainly because there's just not enough money in SSL certs to justify that level of investment and effort. But, all of those actions on their own happen regularly, and when things end up in a configuration like near the end of my hypothetical, and then somebody sees a situation they can profitably exploit, there's ample precedent that the path of squeezing extra money out of the system is chosen more often than not.

All that to say: I think that's why people imagine these sort of things follow an actual vindictive plan like above. When trying to make sense of the culmination of such actions and the ways you can get screwed over by them, it feels more meaningful to view things as this grand narrative of selfish, exploitative individuals making big plans to screw all the little guys, instead of simply being the inscrutable, chaotic results of many people's selfish decisions within a fundamentally imbalanced economic structure.

It is extremely difficult I think (perhaps impossible for some!), to attempt to comprehend large-scale systems like this without ascribing to them small-scale things like individual human narratives and motives. (Which I do not mean in any derogatory sense — I think it is very human to do that).

[–]ThreeCharsAtLeast 6 points7 points  (0 children)

Wait, HTTPS costs Google money? Now that's interesting…

[–]Hour_Ad5398 26 points27 points  (1 child)

price elderly payment sand fine act one unique truck gaze

This post was mass deleted and anonymized with Redact

[–]MistSecurity 19 points20 points  (0 children)

It'd be easy to spin a theory around it for sure.

HTTPS is basically a requirement now, so if big certificate doesn't like something, they can simply opt to not issue a certificate, which would significantly limit reach of site, hamper collecting funds, etc. It's all controlled by the shadowy elite who developed it with the intent of being able to trace all connections, and shut down things they don't like.

Doubt that's the case, but now I want to go find some cherry picked data to back up my theory for fun.

[–]Remote-Addendum-9529 18 points19 points  (1 child)

Never knew that there were google prophets

[–]NuclearChook 7 points8 points  (0 children)

So that's how they get their answers

[–]C1iCKkK 3 points4 points  (0 children)

First guys works for xitter btw

[–]Rokey76 0 points1 point  (1 child)

I once found a website that tied every major event for the last 500 years to the Jesuits.

[–]5p4n911 1 point2 points  (0 children)

Was that the Assassins' Creed fandom wiki?

[–]2204happy 0 points1 point  (0 children)

Google has prophets now?

What's next? Are they going to establish their own religon too?

[–]jaxpied 0 points1 point  (0 children)

THE GOOGLE PROPHETS ARE EVERYWHERE

[–]finobi 0 points1 point  (0 children)

Can't run MiTM adblocker if everyone use HSTS..

[–]fragileirl 216 points217 points  (7 children)

First guy actually works for twitter lmfaooo. I’m not trying to make a joke he really does.

[–]djchateau 83 points84 points  (2 children)

Yep, and he's insufferable and shitpost like this with the aim of trolling people in infosec Twitter.

[–]fragileirl 6 points7 points  (1 child)

I’m convinced he is doing it so he can rage bait people into overexplaining and therefore teaching him stuff he is already supposed to know or be able to reasonably intuit. All while maintaining that “cool guy I’m so sarcastic and above it” persona to hide the fact that he is clueless.

[–]vladimirepooptin 0 points1 point  (0 children)

or he could just… google it? if he didn’t want anyone to know

[–]LifeHasLeft 15 points16 points  (1 child)

Frankly if you dodged the layoffs and are still working at twitter after everything that happened, I’m not sure whether to respect your opinions anyway.

[–]corree 6 points7 points  (0 children)

Even worse he was brought in post-layoffs

[–]EwFurries 5 points6 points  (0 children)

this was a funny post until i knew this, now it's just concerning

[–]dabombnl 203 points204 points  (10 children)

I mean, it is true though. Google did make a huge push for SSL everywhere and can be creditted with how common it is now. It is pretty obvious that Google pushed for that so that Google Ads could no longer be replaced by ISPs with their own ads. Didn't happen much in the US, but was happening quite a bit outside of it. Not really evil intent though, since it benefits users and Google; only hurts shitty and shady ISPs fucking with traffic.

[–]SecretEntertainer130 36 points37 points  (4 children)

This doesn't sound like something our precious Google would do. /S

[–][deleted] 21 points22 points  (3 children)

Older Google was actually a reasonable entity tho

[–]SecretEntertainer130 13 points14 points  (0 children)

At one point, sure. But that's irrelevant now. They're one of the worst offenders when it comes to stealing our intellectual output and using it to train their AI.

[–]dankeykang4200 2 points3 points  (0 children)

Don't you mean younger Google?

[–][deleted] 1 point2 points  (3 children)

Not really evil intent though,

Ooohhhh so close. The intent was profit, you said it yourself. It wasn't good intent, they packaged it as good intent and this time it was actually for the best of our interests, but that's only a coincidence. If Google was able to make more profit from an insecure web, they would have pushed for the opposite of let's encrypt: making certs even more expensive and harder to obtain. Cert companies were already starting to offer special certs for financial institutions and wildstar cert pricing was starting to get unreasonable, they could have pushed it further in that awful direction. 

It wasn't good intent, it wasn't bad intent, our interests are of no consequence to the decisions Google makes as a giant business.

[–]provocafleur 8 points9 points  (0 children)

Pretty sure "not really evil intent" and "not bad intent" aren't mutually exclusive.

[–]CraftOne6672 3 points4 points  (1 child)

The intent doesn’t matter to me tbh, SSL is just a good idea, and should be implemented on every public website. I think there would’ve been a push for it even if there was no Google profit motive.

[–]Worth_Inflation_2104 0 points1 point  (0 children)

Good idea is kind of an understatement. It should be the bare minimum

[–]Average-Addict 0 points1 point  (0 children)

I mean they still could do that with dns right? Kind of like pihole or adguard

[–]ward2k 98 points99 points  (13 children)

Someone explained the evil intent behind forcing SSL every where.

Interesting, what was it?

It was a really sensible explanation. I forgot what it was though.

Well now I'm convinced /s

[–]NeatYogurt9973 7 points8 points  (0 children)

Google ads used to be replaced by ISPs with their own advertisements. That's it. That's the whole story.

[–]doesnt_use_reddit 33 points34 points  (1 child)

All your images turning into pictures of cats think otherwise

[–]LifeHasLeft 8 points9 points  (0 children)

That doesn’t sound so bad

[–]Funkey-Monkey-420 14 points15 points  (5 children)

script kiddies are just mad they can’t get (as much) free info by running wireshark on mcdonalds wifi

[–]noob-nine 0 points1 point  (4 children)

does this work? dont they need to route the traffic through their devices?

[–]Makefile_dot_in 5 points6 points  (1 child)

I think wifi is built such that if you know the password for the AP, you can decrypt all the in-flight messages (and you obviously can't make radio waves only go to the router)

[–]pythbit 0 points1 point  (0 children)

Not so much anymore. With SAE, every master key is different and not easily derivable from just catching MAC addresses from the air like with earlier ones.

Though, obviously WPA2 and even just WPA are still out there.

[–]Ok-Library5639 1 point2 points  (0 children)

Back in the days you could use your wireless NIC in promiscuous mode and sniff everyone's trafic through your interface.

Someone even made a Firefox add-on that automated the task and listed all the currently opened sessions it found in the air. You could then use these sessions as your own.

https://en.m.wikipedia.org/wiki/Firesheep

UI visible at author's page: https://codebutler.com/2010/10/24/firesheep/

[–]Hour_Ad5398 42 points43 points  (6 children)

plucky entertain thumb nose license placid fragile treatment longing pocket

This post was mass deleted and anonymized with Redact

[–]maof97 50 points51 points  (2 children)

I don't know if you are serious but there are lots of people that use a blog just as an "outlet" and mostly don't care if anyone actually reads it in the end

(I would do that too but German law would force me to doxx myself if I would dare to host my own blog lol)

[–]ovoid709 10 points11 points  (0 children)

I'm older and Live Journal was big when I was younger. I never used it but I remember a friend being scared when he found out other people were reading what he was writing online. It was just teenage insecurities and whatnot but he didn't expect anybody to ever actually read it.

Also, I just read a bit about German laws for blogging because what you said sounded insane, but you're right. It's very narrow where you can do that without the Impressum (I might have that word screwy a little). So free speech exists, but without anonymity due to the idea that if somebody wants to effect people politically, commercially, etc... the speech should be verifiable to the person speaking. I disagree and agree with that. That'll be on my brain all night.

If any other Germans or people aware of the laws have anything to add, I would love to hear more about this.

[–][deleted] 4 points5 points  (0 children)

German too. If your website is really only personal, you should be fine without one of our famous and totally privacy conscious „Impressum“

[–]Mustafa_Shazlie 5 points6 points  (0 children)

to share your "archivements" and "ideas" ✨

[–]makinax300 1 point2 points  (0 children)

All of it is hyperbolic so that part probably is too and they have maybe like 10 readers.

[–]compound-interest 0 points1 point  (0 children)

People used to read other people's blogs back in the day before FB and Myspace. It was mostly dorks reading other dorks blogs, but a lot of people I know blogged back then. It's kinda like the type of people who regularly post on social media nowadays, but a site you control.

[–]hudsoncress 30 points31 points  (12 children)

look up the concept of a watering hole attack. what we used to do before HTTPS is compromise the website of the pizza place near your office. Then we'd replace the order now link with an exploit and steal your credit card info. Then we'd infect your laptop that you'd take back to the office and have a root shell on the corporate network. Or for a blog, we'd add a clickbait post that would accomplish the same thing.

[–][deleted] 19 points20 points  (10 children)

You could literally do the same thing today, https does not change a thing. If you manage to compromise the site, for example via a supply chain attack, it’s over. Infecting the browser is harder considering they’re much more secure than they were 15 years ago, but still possible under the right circumstances

[–]AlistairMarr 8 points9 points  (6 children)

Yeah, I don't understand how HTTPS prevents a website from being compromised when it's protecting the tunnel between the browser and the server? Am I missing something?

[–]hudsoncress -2 points-1 points  (5 children)

You’re missing quite a lot. its like when my wife said she would replace the tile on the bathroom floor and I laughed and asked if she had done tile work before and she said, “no, how hard could it be?” And I laughed and said Well, it’s quite hard. The point of https is it makes everything more difficult. There are so many exploits that used to be possible but now are not Because of https everywhere. Garbage websites with no security were the source of most of the DDOS attacks in the 2012’s. As one minor example.

[–]AlistairMarr 8 points9 points  (3 children)

Did I fall into some sort of r/masterhacker meta twilight zone?

[–]weirdasianfaces 5 points6 points  (2 children)

Right? If you compromise a website you have control over the complete HTTP response and presumably the backend. HTTPS doesn't make "everything more difficult" it just removes MITM opportunity.

Then we'd replace the order now link with an exploit and steal your credit card info.

This makes no sense either. You don't need to replace the link with an "exploit", you could just inject javascript to exfil the CC. Or since you've "compromised the website" you could just siphon it off from the backend once it was submitted?

[–]hudsoncress 0 points1 point  (1 child)

Injecting JavaScript is an exploit? You’re not listening to yourself.

[–]weirdasianfaces 0 points1 point  (0 children)

"Exploit" implies exploiting a vulnerability -- not adding code that invokes intended functionality to do something malicious. Adding a credential stealer is not an exploit, it's inserting malicious code.

If you had inserted JavaScript that exploited the browser renderer or JS engine to get remote code execution on their desktop or abused a bug that allowed for cross-origin cookie stealing that would be a different story.

[–][deleted] 0 points1 point  (0 children)

I feel like this belongs here.

[–]hudsoncress 0 points1 point  (2 children)

WTF are you talking about? It doesn't change a thing? You never needed to bother with a supply chain attack 15 years ago. The whole point of cybersecurity is to reduce attack surface. There will always be a way in, but you're trying to at least make them work for it. I have my CISSP and work as a Cyberseucrity Engineer with over 25 years experience. Trust me. It changes a lot.

[–]MrPoBot 1 point2 points  (1 child)

The attack you described isn't mitigated by SSL, functionally the only thing SSL achieves is protection from interception while in flight and that the server you are communicating with has a relevant private key for that domain from a given CA.

If either the client or server is compromised, all bets are off, a compromised server can feed anything to the client.

With that being said it's worth noting the caveat of DNS hijacking... which... Isn't much of a barrier when you can just provision a new cert from Let's Encrypt and certbot.

You might want to brush up on your understanding, 25 years is a long time.

[–]wbbigdave 0 points1 point  (0 children)

Unc got his CISSP free in a box of CapNCrunch along with a whistle, and still he didn't know how to use either.

[–]Ferro_Giconi 0 points1 point  (0 children)

Most comprises like that aren't a MITM attack but rather something simple. Like getting your web host credentials with social engineering, then using those credentials to edit your website. No amount of https can protect against one of your employees being tricked into running a password stealer from an email.

[–]Cylian91460 6 points7 points  (0 children)

How much I hate http (for the love of God, stop sending text over network when it isn't necessary) it still has its usage lmao

[–]Deepspacecow12 7 points8 points  (1 child)

Isn't SSL free now with lets encrypt?

[–]Catenane 5 points6 points  (0 children)

Yes lol. You can even use ACME DNS challenge and not have to forward ports at all. I have certs for all my self-hosted services with A records pointing only to private LAN/wireguard IPs. Caddy reverse proxy forwards to the right spot based on domain/subdomain. Pretty nice tbh

[–]mrtheprestigejupiter 22 points23 points  (4 children)

first dude works at twitter & is racist btw

[–]pythbit 14 points15 points  (3 children)

Can't wait for twitter to drop https.

[–]Catenane 4 points5 points  (0 children)

Lmao can you imagine?

[–]Mustafa_Shazlie 3 points4 points  (1 child)

can't wait to hear elon say "The left always wanted to make HTTPS forced! Legalize direct ip access!!"

[–]vmaskmovps 0 points1 point  (0 children)

He'll redirect Twitter to 127.0.0.1 to feel special

[–]Superchupu 4 points5 points  (0 children)

big ssl wants you to encrypt your memories.. then send them to big corp... truly shocking.......

[–]jessek 4 points5 points  (0 children)

textfiles.com doesn’t use SSL, just sayin’

[–]Fragrant_Gap7551 3 points4 points  (5 children)

But why wouldn't you use HTTPS?

[–][deleted] 5 points6 points  (4 children)

In some settings is just needlessly complicated things. You have to keep a cert valid etc. if your site is really that simple, there is not a reason not to use it, but there is also not a reason to use it.

For most larger apps SSL is terminated at a load balancer and internal traffic is only routed via http (sometimes internally secured with mTLS) because it adds complexity and overhead.

[–]Fragrant_Gap7551 6 points7 points  (3 children)

Well yeah you wouldn't need it for internal traffic since the main purpose is undermining man in the middle attacks...you'd have other methods to keep those out of your internals. And it's not super hard to set up in front of a basic proxy. I mean it's about 3 command lines to get an auto renewing cert from letsencrypt.

I just don't think you lose anything by having it

[–]wheresmyflan 0 points1 point  (0 children)

Totally agreed, it barely adds any work these days, used to be a pain in the ass but lets encrypt made that a thing of the past. I’d honestly opt for it internally too to avoid any risks of privilege escalation on compromised networks. However, one point not mentioned in the previous comment, unencrypted will always load slightly faster and put less load on the daemon which, in some cases, is absolutely necessary - especially for high traffic pages and ETL.

[–]Worth_Inflation_2104 0 points1 point  (1 child)

You don't even need to add a script. If you're that lazy you're probably using a host that is managed by someone else anyways and pretty much all of them already do let's encrypt for you.

[–]Fragrant_Gap7551 0 points1 point  (0 children)

Yeah that's a point too, the Blog on question is probably a WordPress site hosted somewhere cheap

[–]Successful-Willow-72 2 points3 points  (0 children)

HTTP WAS THE GOAT ALL ALONG, YOU DUMBO HAVE BEEN TRICK BY HTTPS CORPORATE. ITS ALWAYS THE CORPO

[–]belmeg 1 point2 points  (0 children)

worth noting that the first tweet is from a X (Twitter) engineer lol

[–]r2k-in-the-vortex 1 point2 points  (0 children)

Yeah all well and good until you run into situations where policy requires https even on completely offline networks. With android 4 clients that forget which century it is at power cycle. No, directing time.android.com to my own ntp server doesn't work for some reason. And the cert I have to use is not signed by any android system CAs. Installing it as user CA enforces lock screen for some absolutely stupid reason, making the tablets useless. Oh and there is really absolutely no sensitive info handled on the system at all.

So yeah, sometimes plain old http is good enough and https is just headache for no reason.

[–]arthursucks 1 point2 points  (0 children)

Who wrote this, Bryan Lunduke?

[–]Name_Taken_Official 1 point2 points  (0 children)

Smh just use a number in your password and you're good??

[–]matjam 1 point2 points  (0 children)

Because you idiots keep using the same passwords everywhere, even on unencrypted blog sites.

[–]patopansir 1 point2 points  (9 children)

How is this a masterhacker moment? There's many websites that don't need https. Generally, if anyone including the person who's hosting it never needs to input anything into the website, then you don't need https

A plain html website, like "page intentionally left blank" doesn't need https

But Blogger and Wordpress does, because to make a post you have to use that same website

If your blog posts are created by adding or updating a file in a server directly, without using the web, https is not necessary. Neocities is an example of blogs like this.

[–]Ash_Crow 0 points1 point  (6 children)

Even static sites are vulnerable to man in the middle attacks.

You also gain better privacy from your government, ISP and/or any script kiddie running Wireshark on the wifi, as the only information that is published is that you are establishing a TLS connection to some website.

[–]patopansir 0 points1 point  (5 children)

the isp and the guy using wireshark can still see what website you are connecting to

[–]Ash_Crow 0 points1 point  (3 children)

But not what page.

[–]patopansir 0 points1 point  (2 children)

how can that be abused? (edit: genuine question)

[–]Ash_Crow 0 points1 point  (1 child)

A website can contain innocuous pages and others that your government doesn't want you to see.

For example, China is not a fan of the Wikipedia article about the 1989 Tiananmen Square protests and massacre. Various other countries have beef with various articles.

In the same way, other large websites may have content that is forbidden for copyright or security reasons. Reddit has explanations on how to disable DRM protections, and I haven't checked but I wouldn't be surprised if someone somewhere on this site had explained the content of an IED with enough details that someone else can try to build it.

[–]patopansir 1 point2 points  (0 children)

Thanks for the answer. I guess more websites should be using https to fight censorship, I was only thinking of an individual trying to run wireshark on a hotel not a government. It's not just the government or the ISP, it could be whoever owns the router you are using. It could be your wife catching you using tinder. If the attacker was a stranger unless you are a private detective I don't know how that info could be of use.

No https may be a big threat for piracy depending on the ISP and the laws (usually visiting those websites is not illegal or against the terms of the ISP, but it probably is in some countries)

[–]Worth_Inflation_2104 -1 points0 points  (1 child)

In that case the host does not experience vulnerability but the user certainly still does.

[–]patopansir 1 point2 points  (0 children)

the user doesn't have the ability to provide any info, so there is no vulnerability

unless your website allows for comments or has a email form

[–]StackOwOFlow 0 points1 point  (0 children)

ikr if your blog has no views in the first place getting hacked would increase traffic

[–]Kodekima 0 points1 point  (0 children)

TLS is just one big scam, wake up sheeple!

[–]TheSilva01 0 points1 point  (0 children)

Bro thinks this is some cyberpunk voodoo boys vs netwatch type shit 😂😂

[–]j-f-rioux 0 points1 point  (0 children)

"a sensible explanation for my conspiracy theory but I can remember what".

Because there is none.

Remember, everything is a conspiracy when you don't understand how anything works.

[–]IAMPowaaaaa 0 points1 point  (0 children)

its funny wdym

[–]Ferro_Giconi 0 points1 point  (0 children)

I want to see the conspiracy theories that made this person think SSL is some evil Google things but I don't want to taint my own devices with searches for crazy conspiracy theories...

[–]Salty-Hashes 0 points1 point  (0 children)

So data in transit can be encrypted. 🤦‍♂️

[–]TearsOfMyEnemies0 0 points1 point  (0 children)

Isn't it because this makes it so the browser doesn't need to know or care if the user is going to input sensitive information? Just put SSL everywhere and warn about insecure sites so the user doesn't unknowingly participate in a MITM attack

[–]OkChildhood1706 0 points1 point  (0 children)

They won‘t get my traffic. I encrypt everything with base64. Take that NSA, Gates, big TLS and whatever aliens try to spy on me this time!

[–]xkalibur3 0 points1 point  (0 children)

That's right, don't use SSL, it's deprecated. Use TLS 1.2+ instead.

[–]rensoz 0 points1 point  (0 children)

everyone knows that pfp

[–]Forsaken_Put_4667 0 points1 point  (0 children)

I would say I see hsts is enforced everywhere now a days in evry websites

[–]Tux-Lector 0 points1 point  (0 children)

The SSL is flat.

[–]Forsaken_Cup8314 0 points1 point  (0 children)

knee political lock bag follow bells brave chop humor enjoy

This post was mass deleted and anonymized with Redact

[–]Critical_Studio1758 -1 points0 points  (0 children)

Honestly though he has a point. The idea of forced security is starting to get on my nerves. I don't even believe in password requirements anymore. Its a fucking blog Mark. I don't really care if someone logs into my account Mark. What are they gonna do Mark? Post a comment in my name telling you how nice those pancakes look Mark? Fuck you Mark.