[dragontamer]

If I had usernames / passwords, then I'd use TLS.

But some webpages are simple, static one-off projects that I put out on behalf of a community. I don't believe in ads and would rather pay for all the bandwidth that my users would use. Consider it a donation "for the love of the game".

Very, very simple, nearly static webpages, close to "neocities" level of web design. No users, no passwords, just information I'm publishing to help a game community out.

Nothing to steal, nothing to phish, nothing. Pure text, maybe a few images and videos to elaborate on specific points.

http://factorioguide.nfshost.com

----------

I understand that TLS is important for any website with interactivity for privacy reasons. But the above webpage is completely static and non-interactive. Its old-school Web 1.0 stuff. There's nothing to steal, phish, or cheat here. Literally nothing.

I just don't see the point in HTTPS-ing this site.

[pixl97]

>But some webpages are simple, static

I'm not sure why you aren't listening to other people. TANSTAASWS.

There ain't no such thing as a static website.... When someone can MITM you, the simple page you serve them can have all your content, with a complete redesign... Scripts, login places, anything the hacker chooses to put on it.

When you don't use HTTPS any middle man can take your content and do anything they want with it.

[Nadya]

>Nothing to steal, nothing to phish, nothing. Pure text, maybe a few images and videos to elaborate on specific points.

So I was reading this site and am particularly concerned about the crypto miner present on the page. Care to explain this to me? Hint: MITM due to insecure context and the miner isn't coming from the site itself but as a user, I'm going to blame the site because it happens on the insecure site.

If you think a MITM can't do any harm with a static page then you simply aren't being creative enough.

[0] Reusing a previous post of mine: https://news.ycombinator.com/item?id=17509373

[joepie91_]

> I understand that TLS is important for any website with interactivity for privacy reasons.

Then you understand wrong. It's important for any website, interactive or not, for privacy reasons. Reader privacy is a thing regardless of whether something is interactive. I don't know where you're getting the idea from that 'static' sites are somehow special.

[dragontamer]

I understand the importance of privacy in CERTAIN settings. Even if they're static.

For example, Eve Online would 100% be under HTTPS. Period. That online community is incredibly secretive, incredibly untrustworthy, full of scammers and requires every bit of security on EVERY webpage.

Factorio's community? Erm... no. Trolls just don't exist in that community. Unlike Eve Online, there's no warring factions of spies trying to take over each other's online turfs "outside of the game". Factorio is a lax community without any trolls or hackers.

A lot of it is understanding the userbase and general security posture. If I were a serious Eve Online player, I'd give 100% secure settings, as much as possible, due to the shennanigans that community is known for pulling.

[CiPHPerCoder]

Protecting users from malicious ISPs (or the criminals that hack malicious ISPs) is a huge win for anyone.

> Factorio's community? Erm... no. Trolls just don't exist in that community.

HTTPS isn't about protecting "secretive" shitty people. It's about protecting everyone.

[dragontamer]

From my understanding, Eve Online gamers transcend the game itself and stalk your habits to the "real world" settings. Infiltrating forums and such. So yes, I'd expect Eve Online players (the serious ones at least) to be very privacy sensitive.

But ultimately, I don't think that this vague concept of "privacy" when applied to a game guide really matters. People normally don't shuffle books and anonymize themselves as they put books back onto the library cart for example.

And I'm old enough to remember physical library cards with the names of everyone who checked out a book. I don't recall any privacy concerns about that. But maybe I'm just old-skool or something.

-------------

With regards to malicious ISPs MITMing their users: they kinda control your DNS requests, so good luck with that. I'm not sure if there really is a way to fully secure against an ISP-level attack against the users.

An ISP can always inject into the HTTP -> HTTPS redirection, and serve HTTP right there and then. HSTS assumes that the user has visited a clean version of your site before, if a new user comes in without ever seeing the HSTS, then the ISP still "wins" and captures your users on a fake HTTP version of your site.

So no, the level of attacks you've described, I don't believe HTTPS solves the problem.

[CiPHPerCoder]

> With regards to malicious ISPs MITMing their users: they kinda control your DNS requests, so good luck with that.

HTTPS security doesn't depend on DNS.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Ex...

Please keep in mind: I do app security for a living.

> An ISP can always inject into the HTTP -> HTTPS redirection, and serve HTTP right there and then.

...they said, in a thread about a popular browser marking HTTP insecure.

Do you really think HTTPS-by-default is out of the question in the future, especially if adoption rates exceed 99%?