Hacker News new | ask | show | jobs
by twtw 3034 days ago
I edited my post before your response to change it to "flagged," but failed to call out the change initially. Sorry, it's fixed now.

For a lot of people, a big scary warning page that says that a page is insecure is essentially a block. Yeah, you can still access it, but a lot fewer people will.

> let's be honest, it is not secure.

My original post is asking for an explanation of how it isn't secure. I would totally understand a browser warning if a user tries to submit a form over http, but for a page like the one I linked I don't see how it can adversely affect the user.
2 comments
tylerhou 3034 days ago
I could, in a very tame example, inject a fake donation button which pointed to my own account instead of the author's. In a more extreme and dangerous example, I could inject malicious JavaScript which exploited an unpatched CVE (Meltdown, Spectre) or vulnerabilities in plugins like Flash, if enabled, to gain control of the user's computer.

It's true that these things could also happen over an HTTPS connection, but then the prevention method is "don't go on sketchy websites." It's far more dangerous over HTTP because a user might already trust the site or author themselves.

link
twtw 3034 days ago
Thank you for answering.

I still don't see why either of those justify warning the user about the whole page. For the donation button, the browser could easily warn you with a big "insecure!" page when you click on the button. Regarding js exploits, I don't think https fixes that even for non-sketchy websites: I'm thinking of the js malware in ads and the recent cryptocurrency-mining ads on youtube.

link
tylerhou 3033 days ago
> the browser could easily warn you with a big "insecure!" page when you click on the button.

But this implies that whenever you click on any link on a page served via HTTP, the browser should warn you with a big "insecure!" page. I think this is far more obtrusive than a simple "not secure" banner next to the URL.

> I don't think https fixes that even for non-sketchy websites

You're right, if the website served over HTTPS injects random JavaScript/is poorly designed. However, the danger with HTTP is that every single website is vulnerable to this attack, not simply the ones served by malicious or incompetent hosts.

link
foo101 3033 days ago
The donation request may not always be in the form of a button. Sometimes it may be a request to make the donation by another means such as by sending bitcoins to a specific address.
link
tewha 3033 days ago
My ISP used to inject things into web pages. I don't think they do anymore, but some WiFi access points still do.
link