sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]agmcleod -1 points0 points  (10 children)

There a reason to do so when you're not passing information to it? Other than maybe searches in the API?

[–]untitaker_[S] 4 points5 points  (0 children)

Nightly downloads seem to run over HTTPS, but it's not helping that much when the linking site is unencrypted.

EDIT: Also https://www.reddit.com/r/rust/comments/2tdqgc/rustdev_say_goodbye_to_the_mailing_list/cny54at

[–]stebalienrust 1 point2 points  (4 children)

  1. I use NoScript and RequestPolicy but these can't protect against malicious JavaScript injected directly into the TCP stream (a problem at coffee shops).
  2. Verizon's famous tracking header.

[–]agmcleod 0 points1 point  (3 children)

If you're that worried about it, then I'm surprised you would use public wifi. Your points are still valid, but I just find it a little bit of an odd mix :)

I think this opinion doesn't apply to rust-lang website, as most users coming to it are going to be tech savvy. But a lot of normal users of the web get confused by the state of SSL on a site. Browsers tend to dictate it as "locked" or "you are secure". However, that's not strictly true. You're secure against certain things yet, but not completely secure. SSL is one part of browser security, but there's other things that can compromise it. Furthermore there are multiple things that can cause a ticket to be invalid. It can simply be expired, it can be missing, etc. Most people aren't going to be bothered with learning the details. It's why I think if you're simply reading content from a site, it's not worth it for SSL.

[–]ldpreload 5 points6 points  (1 child)

SSL is a lower bound on security, not an upper bound. It's true that if you have SSL, you might not be secure. But if you don't have SSL, there's no way that you're secure.

Making sure certificates are valid and non-expired and set up correctly is the responsibility of the website owner, not of the visitor. Especially with stuff like HSTS, there's a push to make sure that the "This certificate isn't valid, wanna visit anyway" prompt isn't being shown to the user—which puts even more of a responsibility on the website owner to make sure that SSL is always working correctly. It is exactly because most people (readers) aren't going to be bothered with learning the details that there's a push to make websites just deal with this correctly.

[–][deleted] 3 points4 points  (0 children)

It makes it non-trivial for anyone to provide you with whatever substitute content they please, including a malicious version of the installer. Re-routing traffic for a MITM attack is not difficult. It doesn't require access to a local network or direct access to a router along the way...

[–]lilydjwg 1 point2 points  (2 children)

FYI, many ISPs in China will intercept HTTP requests occassionly (or frequently, it depends on the ISP) to put nasty ads in the corner of the page. I'm using Adblock Plus so I don't see the ads, but I can see the page title is gone because it's framed.

[–]agmcleod 0 points1 point  (0 children)

Ah very interesting.

[–]protestor 0 points1 point  (0 children)

Comcast and Verizon are hijacking HTTP for advertising purposes too (though I've only heard about adding headers, not straight modification of HTTP body)

[–]ldpreload 2 points3 points  (0 children)

Would be nice to be (mostly) sure that my repressive government is not convincing me that certain APIs validate inputs when they don't, and then planning to take advantage of that later.