[dragontamer]

If the user is so paranoid about this sort of stuff, then they can go get a VPS and control a large chunk of the network for themselves.

For everyone else, its a game guide. The worst that can happen is that they get the wrong information about how Trains work in Factorio. There wouldn't be a need for me to track users or clicks or whatever in a hypothetical game guide community website.

As I stated before: I know some game communities (ie: Minecraft or Eve Online) can be toxic. But the Factorio community isn't like that. So I'd be comfortable hosting a Factorio webpage under HTTP.

If I were hosting a Minecraft or Eve webpage however (warning: toxic community ahead), then I'd host it under HTTPS due to the dastards who troll and harass others in that community.

----------

That's the more important part btw: understanding your audience. Some game communities are toxic and full of harassers, trolls and so forth. But other communities are lax, friendly, and can get away with lesser amounts of security.

[joepie91_]

> If the user is so paranoid about this sort of stuff, then they can go get a VPS and control a large chunk of the network for themselves.

And the last mile is still going to be just as unencrypted, non-private, and tamperable as before.

You literally cannot get end-to-end encryption/privacy without the host supporting TLS.

It's really not an optional thing to support for you as an operator, and especially now that Let's Encrypt is a thing, there's really no excuse for not doing it.

(Now that we're on the subject of toxicity anyway: I'd say that depriving your users from the ability to secure their network traffic, just because you're trying to die on a weird hill, is pretty toxic behaviour.)

[dragontamer]

If I had usernames / passwords, then I'd use TLS.

But some webpages are simple, static one-off projects that I put out on behalf of a community. I don't believe in ads and would rather pay for all the bandwidth that my users would use. Consider it a donation "for the love of the game".

Very, very simple, nearly static webpages, close to "neocities" level of web design. No users, no passwords, just information I'm publishing to help a game community out.

Nothing to steal, nothing to phish, nothing. Pure text, maybe a few images and videos to elaborate on specific points.

http://factorioguide.nfshost.com

----------

I understand that TLS is important for any website with interactivity for privacy reasons. But the above webpage is completely static and non-interactive. Its old-school Web 1.0 stuff. There's nothing to steal, phish, or cheat here. Literally nothing.

I just don't see the point in HTTPS-ing this site.

[pixl97]

>But some webpages are simple, static

I'm not sure why you aren't listening to other people. TANSTAASWS.

There ain't no such thing as a static website.... When someone can MITM you, the simple page you serve them can have all your content, with a complete redesign... Scripts, login places, anything the hacker chooses to put on it.

When you don't use HTTPS any middle man can take your content and do anything they want with it.

[Nadya]

>Nothing to steal, nothing to phish, nothing. Pure text, maybe a few images and videos to elaborate on specific points.

So I was reading this site and am particularly concerned about the crypto miner present on the page. Care to explain this to me? Hint: MITM due to insecure context and the miner isn't coming from the site itself but as a user, I'm going to blame the site because it happens on the insecure site.

If you think a MITM can't do any harm with a static page then you simply aren't being creative enough.

[0] Reusing a previous post of mine: https://news.ycombinator.com/item?id=17509373

[joepie91_]

> I understand that TLS is important for any website with interactivity for privacy reasons.

Then you understand wrong. It's important for any website, interactive or not, for privacy reasons. Reader privacy is a thing regardless of whether something is interactive. I don't know where you're getting the idea from that 'static' sites are somehow special.

[dragontamer]

I understand the importance of privacy in CERTAIN settings. Even if they're static.

For example, Eve Online would 100% be under HTTPS. Period. That online community is incredibly secretive, incredibly untrustworthy, full of scammers and requires every bit of security on EVERY webpage.

Factorio's community? Erm... no. Trolls just don't exist in that community. Unlike Eve Online, there's no warring factions of spies trying to take over each other's online turfs "outside of the game". Factorio is a lax community without any trolls or hackers.

A lot of it is understanding the userbase and general security posture. If I were a serious Eve Online player, I'd give 100% secure settings, as much as possible, due to the shennanigans that community is known for pulling.

[CiPHPerCoder]

Protecting users from malicious ISPs (or the criminals that hack malicious ISPs) is a huge win for anyone.

> Factorio's community? Erm... no. Trolls just don't exist in that community.

HTTPS isn't about protecting "secretive" shitty people. It's about protecting everyone.

[dragontamer]

From my understanding, Eve Online gamers transcend the game itself and stalk your habits to the "real world" settings. Infiltrating forums and such. So yes, I'd expect Eve Online players (the serious ones at least) to be very privacy sensitive.

But ultimately, I don't think that this vague concept of "privacy" when applied to a game guide really matters. People normally don't shuffle books and anonymize themselves as they put books back onto the library cart for example.

And I'm old enough to remember physical library cards with the names of everyone who checked out a book. I don't recall any privacy concerns about that. But maybe I'm just old-skool or something.

-------------

With regards to malicious ISPs MITMing their users: they kinda control your DNS requests, so good luck with that. I'm not sure if there really is a way to fully secure against an ISP-level attack against the users.

An ISP can always inject into the HTTP -> HTTPS redirection, and serve HTTP right there and then. HSTS assumes that the user has visited a clean version of your site before, if a new user comes in without ever seeing the HSTS, then the ISP still "wins" and captures your users on a fake HTTP version of your site.

So no, the level of attacks you've described, I don't believe HTTPS solves the problem.

[supertrope]

The worst that can happen is malware Javascript, phishing re-directs are injected. Of course if the page itself has ad networks those are there by design.

[dragontamer]

Phishing for what though?

If it were a big network, like GameFAQs, Reddit, or you know, something where you can steal a password or something. Maybe you'd have a point.

But random blog with a bit of information on the game??

http://factorioguide.nfshost.com/

Real story btw. I'm paying a bit of money for the host (not much though), I don't believe in ads taking money from the few reads I do get. Its basically a static page that costs pennies. I'm no longer updating the webpage, but I'm leaving it up just in case someone out there wants to learn more about the game. (It doesn't seem like any of the information is out-of-date. Its a few years old but the game hasn't changed in this aspect, so the information is still solid).

I just don't see any point converting this webpage into HTTPS.

There's literally nothing to phish here.

[Scott_Helme_]

I'd really recommend watching the video in this blog post: https://www.troyhunt.com/heres-why-your-static-website-needs...

[dragontamer]

Yes, I'm aware of MITM attacks and I'm also aware that fake certificates can be used to MITM even HTTPS sessions.

So I'm not convinced that HTTPS is the solution for that hypothetical attack. Not while untrustworthy certificate authorities are default-enabled on most clients anyway. At best, HTTPS complicates the attack but it doesn't make you immune to it.

A hypothetical MITM attacker can just get a fake certificate from a low-security vendor (ex: Comodo), and serve that to get a nice "trusted" version of the fake webpage. If you control the network, you control the certs that are eventually served to the users.

https://news.netcraft.com/archives/2014/02/12/fake-ssl-certi...

https://en.wikipedia.org/wiki/DigiNotar

[UncleMeat]

> At best, HTTPS complicates the attack but it doesn't make you immune to it.

That's literally all security. It isn't binary. It never is. At best, ASLR complicates ROP. At best, salts complicate breaking password hashes. At best, memory safe languages complicate buffer overflow attacks.

One could use your argument to dismiss basically all security. You've chosen zero mitm protection rather than a lot of mitm protection.

If you aren't using https then a network attacker with no preplanning can cause problems. If you are using https then a network attacker needs to get a bogus cert ahead of time. This costs money and time and does not scale well. Security is an economics issue. Making it more expensive to attack people is good.

[brandonsometig]

Did you intentionally ignore the malware injection point?

[supertrope]

Credit card numbers, Social Security numbers, online banking credentials, etc. The usual target data in fake tech support phishing scam.

example screenshot: https://www.pcrisk.com/images/stories/screenshots201703/zeus...

[dragontamer]

Okay, I get what you're saying then. Your example isn't exactly the best example... but I "get" what you're trying to say at least.

You're saying that someone can inject a "redirect header" into a fake webpage, force that upon my users through the control of a network (WiFi router or whatnot), and use my domain name and my trust to take advantage of the users.

(Your example with the Zeus malware is bad because Zeus attacked the OS directly, so it wasn't a network attack. But hypothetically, lets say it was a network attack so that it remains applicable to my example)

Alas, HTTPS does NOT solve that, at least not while globally trusted HTTPS certificate roots remain insecure. They only need to get one HTTPS certificate signed by Comodo (or some other low-security HTTPS vendor) to attack my domain name in a manner like that.

[supertrope]

That scam is mostly used through ad network vector not MITM. Btw it only references Zeus, it's not Zeus. A more subtle example is cryptocurrency miner scripts that result in your static page pegging a CPU core.

HTTPS raises the bar. There's no happily ever after in security. Maybe in five years domain hijacking and cert abuse will be as common as aforementioned fake tech support scams that prevent users from closing the tab. Some of them even set full-screen on desktop browsers and vibrate your phone (grr).

[dragontamer]

Oh, a fake Zeus scam. That makes more sense then.

> That scam is mostly used through ad network vector not MITM.

Just one more reason why I'm not going to use ads to fund any web-projects I do.

-------

I agree that HTTPS raises the bar and makes it more difficult for certain scams. Indeed, I'd go as far as to say that any webpage with user-inputtable data (ie: username, passwords, etc. etc.) is required to be HTTPS. The risks are too great and that's the minimum security users expect these days.

But I'm still of the opinion that Web 1.0 style static-sites can be served with HTTP just fine. If there's no usernames, no interativity, and PURELY hosting static content in a community that's relatively lax (again: Minecraft and Eve Online fail. I'd use HTTPS even for a static site if I were doing Minecraft or Eve Online stuff), then I'd think HTTP is just fine.