zlacker

[return to "Apple already shipped attestation on the web, and we barely noticed"]
1. uwagar+k9[view] [source] 2023-07-25 14:47:46
>>pimter+(OP)
im gonna remove even https from my server. gotta go http in protest against this nonsense.

i'm already pissed off that firefox warns people that my site is unsafe for them when i dont even stick a cookie on them and yet provide useful Free software.

◧◩
2. Avaman+ha[view] [source] 2023-07-25 14:51:32
>>uwagar+k9
That's like pissing in your own pants to try and keep warm and you weren't cold in the first place.
◧◩◪
3. uwagar+Lx[view] [source] 2023-07-25 16:13:04
>>Avaman+ha
i mean if i'm not tracking the user at all, why should i use https?
◧◩◪◨
4. helloj+W81[view] [source] 2023-07-25 18:16:13
>>uwagar+Lx
To prevent isp or mitm injection... ISPs have a history of injecting ads into http connections.
◧◩◪◨⬒
5. 0xbadc+sa1[view] [source] 2023-07-25 18:21:51
>>helloj+W81
They're right though. The browser should have had a mode that ensures integrity without privacy (it's trivial; use PKI to sign the content, send the signature as a header, client validates the signature, and you have integrity over plaintext; or just a form of HSTS, if you don't need PKI, because if HSTS is good enough for certs, it's good enough for anything ELSE, right?). There could be protocol extensions that support clients only loading dynamic or identifying content for specific requests. All sorts of features could allow basic plaintext connections with public content to be as secure as HTTPS.

But the browser oligarchy doesn't want to allow that. They want to force everything to be private, which has caused tons of issues on the internet. And actually, it has strengthened the oligarchy, by forcing us to use private services (such as DNS-over-HTTPS, VPNs, CDNs, etc) which locks more of the internet into the control of a tiny handful of super powerful companies. To the point where if one of them decides to change something, it ripples across the entire internet, and everyone is forced to adopt it or break everything.

Crazier still... HTTPS isn't even that secure! Every year there are examples of valid certs being created for MITM. There are multiple vulns that work at any time. Mitigations that are optional and only a tiny fraction of the web use. And cert expiration, HSTS, and other issues still take down sites accidentally. But they force everyone to use it anyway!

◧◩◪◨⬒⬓
6. Avaman+So1[view] [source] 2023-07-25 19:16:59
>>0xbadc+sa1
> it's trivial; use PKI to sign the content, send the signature as a header, client validates the signature, and you have integrity over plaintext;

Yes, that's what HTTPS does. I don't know why you'd want to just remove the encryption part.

If you personally want plaintext locally and to cache or whatever, set up a SOCKS proxy you *consent* to. That's the core essence here, consent. Most people don't consent to their ISP collecting analytics or injecting ads, this is why we can't even entertain the idea of leaving things plaintext - the web is too hostile.

> They want to force everything to be private, which has caused tons of issues on the internet.

People also want their things to be private. Where did you get the opinion that it's not something people want.

> Crazier still... HTTPS isn't even that secure! Every year there are examples of valid certs being created for MITM.

If that's crazy then the alternatives are absolutely inane.

> There are multiple vulns that work at any time. Mitigations that are optional and only a tiny fraction of the web use.

Elaborate please.

> And cert expiration, HSTS, and other issues still take down sites accidentally.

Many things (mis)used can cause downtime. That doesn't make it inherently bad. There are just tradeoffs.

> But they force everyone to use it anyway!

You are rather free to not use HTTPS, but browser vendors are really free to warn against such sites for very good reasons.

[go to top]