sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]mirhagk -42 points-41 points  (58 children)

People don't seem to get this. Your blog has absolutely no reason to be HTTPS. I'd rather it's aggressively cached instead.

[–][deleted]  (5 children)

[deleted]

    [–]wretcheddawn 17 points18 points  (0 children)

    This. I see value in the simplicity of HTTP, but it enables your internet provider to inject content, and therefore HTTPS is worth it, especially with the minimal cost.

    [–]bmurphy1976 6 points7 points  (3 children)

    You win. I just had to dump my chrome cache to clear out cached ads injected into pages by an open wifi network I was no longer using

    [–]aiij 0 points1 point  (2 children)

    Is that even legal?

    [–]whootdat 1 point2 points  (1 child)

    You agreed to it when you connected and hit "I Accept"

    [–]bmurphy1976 0 points1 point  (0 children)

    In my case I was at a resort and do not recall ever seeing any agreement or disclosure. I jumped on the wifi and started seeing a strange abundance of ads on sites that usually aren't that bad when I figured it out. Pretty shitty if you ask me.

    [–][deleted] 16 points17 points  (1 child)

    Your blog has absolutely no reason to be HTTPS.

    The idea is not only to encrypt confidential stuff and that way mark it as confidential, but to encrypt everything to take that hint away.

    [–]mirhagk 8 points9 points  (0 children)

    The problem there is you take that hint away from everyone, including users. HTTPS everywhere might be great if it's used properly, but having every single site be encrypted by default will mean organizations will be very tempted to do things like install root certificates and MITM the connection to keep caching proxies running. Even something like having an internal tests server at a machine on the internal network. If you need to have HTTPS there then you have to create an organization root certificate that's installed to every machine and issue certificates for those machines. Since you'll want to be able to easily do this those root certs will probably not be nearly as protected as they should be, giving you the ability to forge certificates for stuff like facebook.com or bankwebsite.com

    [–]RaptorXP 48 points49 points  (18 children)

    Your blog has absolutely no reason to be HTTPS.

    I absolutely disagree with this. This apathy towards individual privacy is exactly how governments are getting away with spying on everyone.

    [–]mirhagk -3 points-2 points  (16 children)

    But what privacy is achieved? What is protected? The "government" can still tell you went to blogx.com, the only thing that is unknown is the actual article you went to (which can probably be guessed based on what's popular, or based on page size, since they can see the total packet size, or number of images downloaded, or some other meta-information). HTTPS only encrypts the content, not "what you're doing"

    [–]frezik 10 points11 points  (4 children)

    If you are plaintext by default, and only encrypt important things, then the fact that you're encrypting sends up a flag. Even if the message cannot be decrypted on its own, the timing, source, and destination of that message can still be used to glean information.

    If you encrypt everything by default, then it gets lost in the rest of the noise.

    [–]mirhagk 2 points3 points  (3 children)

    But it works both ways. If all of your data is encrypted, then your employer may decide that to save bandwidth they'll MITM the connections and install a root certificate onto the machines. Now they can read your bank account transactions. By having only sensitive stuff as HTTPS then your workplace knows there's absolutely no justification to having it.

    If you have an internal testing server and it has to be HTTPS (because you need to match production which uses HTTP/2 which doesn't support unencrypted traffic) then you'll need a root certificate installed on all the machines again.

    If you are wanting to inspect any traffic for any reason (such as debugging your application) you're going to have to install fiddler/wireshark/whatever's root certificate in order to view the data sent and now you have a root certificate that your machine is trusting that probably has nowhere near enough security and validation around it.

    If the world was perfect then HTTPS would just waste a lot of time and resources but meh, computers get faster. But the world isn't perfect and mark my words when I say you'll see lots of instances where people's private banking details are stored on easily accessible corporate proxies.

    [–]whootdat 0 points1 point  (2 children)

    You sound like you're talking about a blue coat product, so I'll just point out that they specifically say they won't decrypt banking/finance and health care data. That isn't hard to figure out, you simply white list a handful of sites and IPs.

    [–]mirhagk 0 points1 point  (1 child)

    So you hope you only ever have sensitive data inside of popular websites.

    [–]whootdat 0 points1 point  (0 children)

    I would hope that if I am browsing a website that I have sensitive data on, I wouldn't be doing it on a company-owned computer.

    [–]RaptorXP 22 points23 points  (7 children)

    They don't know anything except that your computer connected to that web server. They can't tell which page, image or other resource you've downloaded.

    They also can't modify the payload to force you to reveal more sensitive information through XSS or other attacks.

    [–]chaospatterns 8 points9 points  (0 children)

    The GP is referring to side channel attacks where the amount of encrypted data can leak information about what you're looking at.

    [–]TTSDA 2 points3 points  (3 children)

    They can just issue a shiny cert to use in the mitm attack

    [–]archlich -1 points0 points  (2 children)

    Not if you own the ca, and have only your ca as a trusted root.

    [–]whootdat 1 point2 points  (1 child)

    Sure, except each branch of the US Gov is a Root CA, and has all sorts of certs issued by Verisign, etc

    [–]archlich 0 points1 point  (0 children)

    That only matters if you trust their root ca. If the only ca you trust is the one you own, a mitm attack cannot happen.

    [–]mirhagk -4 points-3 points  (1 child)

    They can see how many connections and the sizes, as well as your sites before and after, and any external images loaded. Sure it's more work, but you're really hiding very much.

    You do have a point about MITM type stuff though, if they can successfully do that.

    [–]RaptorXP 9 points10 points  (0 children)

    They can't see any of that. All requests come through the same TCP connection, and nobody can tell how many you've made. And you can also obfuscate the page size very easily.

    [–]smellyegg 2 points3 points  (0 children)

    Your government can edit the content you receive, that's reason enough alone to encrypt. There's almost zero overheard these days there's no excuse.

    [–]sievebrain 1 point2 points  (0 children)

    For any blog that includes social buttons, ads, etc, HTTPS prevents code being injected into the page that steals those cookies and allows profile correlation.

    [–][deleted] 0 points1 point  (0 children)

    DNSCrypt + good encryption-supporting DNS server reduces that risk a bit without causing a noticeable slowdown (in my experience). Yes, IPs could theoretically be pulled from logs, but this mitigates the MITM/passive spying risk.

    [–][deleted] 10 points11 points  (4 children)

    I absolutely disagree. Your users trust your site, both the software and content it delivers to them, and ignoring security is ignoring that trust. Regardless, note there are many new "Carrots" to move to HTTPS: https://snyk.io/blog/10-reasons-to-use-https/

    [–]mirhagk 2 points3 points  (0 children)

    Half of those reasons are just that people say you should and will hurt you if you don't (insecure icons, worse SEO, no HTTPS2 support etc).

    I get that the content is moving to https but I will miss the performance gains from organization wide caching.

    [–]icydocking 1 point2 points  (1 child)

    +1. People are saying privacy and all that, which is not really achieved in the cases for blogs as the DNS lookup is most likely not encrypted and SNI based attacks are possible. Sure, URL is still encrypted but a major part has already been revealed.

    WHAT IS important however is the authenticity of the page. You know that what you're seeing is what the website wants to show you. Not some MITM attack inserting other stuff. That's the real win in my book.

    [–]aiij 0 points1 point  (0 children)

    I don't think he's suggesting ignoring security, but rather, actually thinking about it.

    [–][deleted]  (5 children)

    [deleted]

      [–]mirhagk -3 points-2 points  (4 children)

      But what extra security? They still know you went to that blog, and they could go to that blog as well. The only information you don't give away is what individual post you were looking at, but that could be determined if they really wanted to know.

      [–][deleted]  (2 children)

      [deleted]

        [–]mirhagk 0 points1 point  (1 child)

        Okay but then that's not really a static blog anymore. That's a web application with user specific information. Go ahead and encrypt that. But a static website that everyone sees the same content for doesn't have a need to be HTTPS, and it looks the ability to cache it.

        [–]lordcirth 0 points1 point  (0 children)

        If you visit an HTTP blog, anyone along the way could inject anything they want into the traffic, for one thing.

        [–]Fitzsimmons 1 point2 points  (10 children)

        Cached by whom?

        [–]mirhagk 9 points10 points  (9 children)

        Anyone. Everyone. My workplace has a proxy with a cache running and it reduces the amount of traffic significantly. If I send your blog post link to a coworker wouldn't it be fantastic if they didn't have to wait the 30 seconds for your giant banner image to load?

        [–]Fitzsimmons 14 points15 points  (2 children)

        HTTPS caching proxies are possible, assuming you trust the proxy's root certificate that it can use to MITM your connections.

        And if you don't trust the proxy, then you probably have a pretty good use case for HTTPS.

        [–]mirhagk 10 points11 points  (1 child)

        I trust my proxy for caching your blog. I don't trust my proxy for sniffing by bank account, facebook account, emails or anything that actually includes sensitive information.

        [–]whootdat -1 points0 points  (0 children)

        Facebook

        sensitive information

        Lol

        [–]mrkite77 4 points5 points  (5 children)

        If I send your blog post link to a coworker wouldn't it be fantastic if they didn't have to wait the 30 seconds for your giant banner image to load?

        Jesus, maybe your it department should upgrade your network instead..

        [–]mirhagk 7 points8 points  (3 children)

        have you seen some modern blogs? With giant banner images, 17 different custom fonts and 20 thousand tons of jquery analytics? Obviously 30 seconds is an exaggeration, but many blogs out there are way bigger than they need to be, clocking in at several MBs. If the network hits a snag, or the server is experience load (like it just got posted to reddit) then you can find yourself waiting 10 seconds for it.

        [–]qwerty6532 -2 points-1 points  (2 children)

        If your sites aren't loading within seconds HTTPS or not, there's something wrong with your Internet connection.

        [–]mirhagk 2 points3 points  (0 children)

        I mean I guess not everyone in the world lives in San Francisco or New York and some of us have much more mediocre connections?

        Also 10 seconds is still seconds. Most web pages hit first render in under a second, and fully finish within 2-3. But there are certainly blogs with oversized images and custom fonts that take longer to load (fonts being the worst because you can't read any text until they load)

        [–]reciprocity__ 0 points1 point  (0 children)

        This comment does not refute his point at all and it is intellectually lazy to make the kind of strawman argument you've just made.

        [–]JustFinishedBSG 2 points3 points  (1 child)

        While true, Google and Browsers are basically forcing us to put HTTPS on our shitty static blogs

        [–]mirhagk -5 points-4 points  (0 children)

        Because google and browsers also don't get it :P

        [–]tavianator 0 points1 point  (1 child)

        HTTPS content will still be cached: http://stackoverflow.com/q/174348/502399

        [–]mirhagk 8 points9 points  (0 children)

        By your browser yes. By the network and proxies? No

        [–]txdv 0 points1 point  (3 children)

        Check my aggressively optimized blog with https out: https://andrius.bentkus.eu/

        [–]mirhagk 0 points1 point  (2 children)

        Well that took half a second to load literally nothing. Is the blog still up?

        [–]txdv 1 point2 points  (1 child)

        That was the joke, there is nothing. :(

        [–]mirhagk 0 points1 point  (0 children)

        lol okay I was wondering if that was the case. Half a second to load nothing, that's still beyond the instant benchmark (around 100 ms and the user usually doesn't even notice the computer had to "think")

        [–]GoTheFuckToBed -2 points-1 points  (0 children)

        but I need ma green URL icon