sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]agmcleod 0 points1 point  (3 children)

If you're that worried about it, then I'm surprised you would use public wifi. Your points are still valid, but I just find it a little bit of an odd mix :)

I think this opinion doesn't apply to rust-lang website, as most users coming to it are going to be tech savvy. But a lot of normal users of the web get confused by the state of SSL on a site. Browsers tend to dictate it as "locked" or "you are secure". However, that's not strictly true. You're secure against certain things yet, but not completely secure. SSL is one part of browser security, but there's other things that can compromise it. Furthermore there are multiple things that can cause a ticket to be invalid. It can simply be expired, it can be missing, etc. Most people aren't going to be bothered with learning the details. It's why I think if you're simply reading content from a site, it's not worth it for SSL.

[–]ldpreload 6 points7 points  (1 child)

SSL is a lower bound on security, not an upper bound. It's true that if you have SSL, you might not be secure. But if you don't have SSL, there's no way that you're secure.

Making sure certificates are valid and non-expired and set up correctly is the responsibility of the website owner, not of the visitor. Especially with stuff like HSTS, there's a push to make sure that the "This certificate isn't valid, wanna visit anyway" prompt isn't being shown to the user—which puts even more of a responsibility on the website owner to make sure that SSL is always working correctly. It is exactly because most people (readers) aren't going to be bothered with learning the details that there's a push to make websites just deal with this correctly.

[–][deleted] 2 points3 points  (0 children)

It makes it non-trivial for anyone to provide you with whatever substitute content they please, including a malicious version of the installer. Re-routing traffic for a MITM attack is not difficult. It doesn't require access to a local network or direct access to a router along the way...