Hacker News new | ask | show | jobs
by cnst 2001 days ago
When you start with a premise that all sites MUST have HTTPS and MUST NOT support TLSv1.0 in each argument, then your arguments are simply unsound, because they're based on an incorrect premise, so, the conclusion couldn't possibly follow, because the underlying premise is false and thus cannot support any of your conclusions.

My point about capitalism is exactly that -- capitalism -- Google, Bing, even Amazon (i.e., companies that make the most money from the web) -- show that HTTPS is entirely optional (Google Search and Bing both work over HTTP just fine), and TLSv1.0 provided by the server is just as secure at TLSv1.2-only servers (Google, Microsoft, Amazon).

I can still use any device from the last 20+ years to access both Google Search and Bing. If you intentionally disable your blog from working on such older devices, shifting the blame to device manufacturer is simply ludicrous! All my sites are HTTP-only, so, anyone anywhere can access them, from any device, over any connection (some WiFi via satellite links only allow HTTP-only traffic for free -- I win again), and with any browser. They are not in any way "insecure", either, unlike what the newer browsers might tell you. I can reach as large a variety of visitors as Google and Bing if I simply don't listen to what Mozilla, EFF and Google itself tells me on how to run my website.
1 comments
Dylan16807 2000 days ago
According to capitalism it's okay for banks to lose your money and it's your problem for having your identity stolen, go spend a dozen hours to get things fixed. And they won't use secure passwords on their site, and they'll use fake 2-factor, because those incidents don't bother them enough to want to prevent.

So when capitalism says a type of security isn't necessary, well, other than a nihilist "nothing is necessary" attitude, I don't believe them. And it doesn't prove that what a company does is "just as secure" as best practices.

> When you start with a premise that all sites MUST have HTTPS and MUST NOT support TLSv1.0 in each argument, then your arguments are simply unsound, because they're based on an incorrect premise

Whew, good thing I wasn't doing that.

> If you intentionally disable your blog from working on such older devices, shifting the blame to device manufacturer is simply ludicrous!

Let me try to be clear again, since you definitely misread me.

Disabling HTTP is on the site owner.

HTTPS breaking is the manufacturer's fault. The site can influence how it breaks, but no matter what a very old implementation will be broken. At a certain point you can't even get certificates any more because all the roots are expired.

> All my sites are HTTP-only

So you don't want your users to even be able to opt in to privacy or protection from hostile networks?

link