22

About browsers and whole SSL CERT thing...

Most likely everyone here noticed, that https site with broken certificate will throw these big red warnings, in your face and there is so much wording like "ITS NOT SECUREEEE" or "ITS HACKEDDD" almost like it was written by passionate fanatic.

But when you are on plaintext http browsers reaction is like ¯\_(ツ)_/¯
Even if you have plaintext with password, it will for example in chromium put small little red thingy that almost no one notices.

I believe that broken cert with some error like invalid date is MORE secure than plaintext password, yet still there is this hypocracy with browsers...

I dont say that broken SSL cert is good, or something, Im just pointing out contrast of "broken" https vs plain http.... One looks for casual Joe like end of the world is coming and second is bearly noticable. Da fuck?

I disagree with this approach

Comments
  • 5
    This is a very thoughtful rant. Nice.
  • 3
    This will change in the future, default will be https and you'll get warnings on http. I believe this is in the make on most browsers
  • 7
    Both should scream because a certificate error might be a MITM. Plain HTTP will definitely be MITM.
  • 3
    Http should scream its ass off.

    Broke https should say 'either someone is intercepting (listening to your password for example) your communications with this website, or website is missconfigured, or website suffers from technical difficulties.'

    Thats my opinion.
  • 3
    @DubbaThony 'or the developer is a moron'
  • 0
    AliExpress sometimes redirects you to a http login page.
    How about deactivating password autofill on http?
    Oh well, China has my password now probably.
  • 1
    @Conrad i would prefer on non https sth like JS alert with confirmation.... Or for that matter any POST request.

    Edit: yes, even js ajaxes
  • 3
    HTTP is retarded.

    Hurr durr don't mind me I'm just broadcasting my web browsing to the world. Oh, you intercepted that image and replaced it with 3D HD VR 4k dolphin porn? Cool, that's cool. I'm cool with that.
  • 0
    @AlgoRythm

    It made sense in its times. And it has usages.

    Nowadays http is cool as long as its encrypted or kept in trusted local network (like localhost/loopback, here https will only annoy performance).

    Anything that goes to wild? Encrypt. Double time!
  • 1
    @DubbaThony "http is cool as long as its encrypted" - that's just HTTPS
  • 0
    @AlgoRythm

    Lol sorry im tired as hell.

    I ment that there are usages for http (localhost, closed networks that need performance with 'front' server doing https etc)

    But http i had in mind as a protocol like http/1.1 or 2 is cool IMHO as protocol lol

    Sorry, brainfart, thx for calling me out :)
  • 2
    @DubbaThony HTTP/2 is okay but no socket support so I'm gonna hold up on adapting my web servers. Also, that technology already basically exists in HTTP/1 and the performance benefit is essentially negligible except in certain cases (which is what HTTP/2 was designed to do, so I'm not calling it a failure or anything)

    HTTP is just as fast as HTTPS, I've seen some arguments that HTTPS is faster because more development time has gone into it since it's supposed to be the standard now.

    If you don't have a certificate authority on your dev network, most browsers let you just click "continue" on a bad cert and use it as if it were perfectly fine. Lots of technologies only work on HTTPS (Service workers, PWA, etc)

    The only valid use for HTTP is to redirect to HTTPS!
  • 0
    @AlgoRythm given you have local network, with acces through like VPN, internal apis or stuff like that must physically send less packets for http without encryption (tls handshake)

    Ive seen request time on http that was in nanoseconds, idk if that would work with https. Maybe. Just more work physically.

    But in willd, encryption is a must IMHO.
  • 1
    @AlgoRythm huh? There s no such thing as bad dolphin porn. It’s always good.
  • 0
    The best use for HTTP sites is getting to the fucking login portal at starbucks.
  • 0
    Don't agree. When you're (assuming that you know what https is and why it's important for this comment) visiting an http site, you know that every party inbetween you and the served can see everything.

    But when you're on an https site, you'd assume, in general, that all is good/secure. When its not, I'd bring out way bigger alarms because one can reasonably assume that its secure because of https (the connection, not the site/service/seever itself) and at that moment IRS not.
  • 1
    @linuxxx

    Given that you are aware of underlying tech. But lets face it, software is made for software engeneers and for 'typical joes'.

    Not too many years ago (7 years?) Ive seen even bank (legit story!) website not using https so stealing logged in cookie was a breeze (Ive asked someone with account there and we confirmed it in lan, he no longer is client of this bank)

    Given they didnt go out of buissness, and still exist - means they have and had clients. So people didnt gave a broken cent of fuck if its https or not. While http is sure to leak information, https has chance to do it, its not guaranteed.

    I agree that false sense of security is bad, but, given people ignorance, they will likely ignore its http not https. Pure http + any input type password should yell at your face like hsts broken cert. Thats my take on it.
  • 1
    @DubbaThony Yeah but you're basing this on your average Joe, I'm not :)
Add Comment