| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by jlokier 1935 days ago

Parent was downvoted, but it happens. People think a site with only public content should be served over HTTP, what's the harm. Here's my anecdote:

A site I developed was being critiqued by a fellow director. They looked at the HTML and didn't like the poorly written advertising and analytics Javascript near the start of it.

But wait! What advertising and analytics? I didn't add that sort of junk.

It took us a few rounds of me defending my design decisions and not understanding what their problem with it was, and them becoming suspicious of me, before we figured out they were looking at Javascript inserted by their ISP in real-time into the site's HTML. Not something I wrote. We were viewing different HTML because of that.

That was 6 years ago. One more reason to switch to HTTPS, even for public, static content.

1 comments

superkuh 1935 days ago

ISPs should be charged like the criminals they are but they are abusing a unique position not shared by a random attacker. My own ISP, comcast, has injected contents into my HTTP connections and broken things like the steam client browser. For almost a decade now I've tunneled to various VPSes for web surfing.

The problem here is not in HTTP. HTTP allows anyone and everyone to easily host and view each other's websites. Yes, ISP can interfere but that's not something anyone else can do in a targeted way.

The benefits far outweigh the downsides in most cases. You might have a business/profit motive to disable HTTP and that's fine. But most cases are not profit motivated.

link

jlokier 1934 days ago

> You might have a business/profit motive to disable HTTP and that's fine. But most cases are not profit motivated

No, it was a community group non-profit (non-profits have directors too!) and the site was a static site with public information and no tracking. Exactly the sort of friendly hobbyist site you are probably thinking should use HTTP. I was an unpaid volunteer, and the group did not pay for hosting.

> The benefits far outweigh the downsides in most cases

There were no identifiable benefits to HTTP or downsides to HTTPS for us. The switch was almost trivial. The ISP issue hurried the conversion though.

> I've tunneled to various VPSes for web surfing.

If you have to use a VPS to use HTTP safely, with its extra cost and latency, why are you down on HTTPS? Having to use a VPS with your HTTP is basically the same thing as HTTPS but with higher cost, higher latency and more security centralisation.

That's not a positive advert for HTTP, if you feel you have to use a VPS to use it safely.

link

xlrepl 1934 days ago

Still, there should be a law (wire fraud?) that is applied to the ISPs who engage in forgery.

If applied, they'd stop and HTTP would be safe for static sites.

link