[wepple]

At Starbucks I can inject arbitrary content into the browser of anyone who visits your site over HTTP and take control of their browser.

Furthermore, congrats on your site but you’re 0.01% of sites like that. Should we keep an insecure web because your hosting provider is ripping you off? TLS is easy and free in 2021.

[echelon]

> Furthermore, congrats on your site but you’re 0.01% of sites like that.

Thanks to the rise of the almighty platforms we've lost the will and know-how to do it ourselves.

> TLS is easy and free in 2021.

Only if you're relying on complicated cloud infra or (non-free) managed providers that do everything for you. It's a lot of work to set this up on your own.

It's impossible to be simple at this point. It's like the automotive industry which collectively decided to use computers for everything. You can't repair things yourself now. It's ironic, too, because now the industry finds itself with a chip shortage. I can imagine lots of scenarios where our complicated infrastructure requirements bite us.

There should always be the option of not using TLS. It should be first-class and not require expertise to access or use.

[nybble41]

It's actually very easy to set up a TLS server using certificates from Let's Encrypt or any other ACME-compliant certificate provider. If you're using Apache, mod_md[0] will manage all the details for you. After enabling mod_md and mod_ssl, a simple TLS server only requires a few lines of extra configuration compared to a basic non-TLS site:

  MDCertificateAgreement accepted
  MDomain example.org
  <VirtualHost *:443>
    ServerName example.org
    ServerAdmin admin@example.org
    ServerAlias www.example.org    # optional
    DocumentRoot htdocs/root
    SSLEngine on
  </VirtualHost>

If you're using Nginx rather than Apache I believe it still requires an external script to handle certificate renewal, but the process remains fairly simple. The same scripts will also work with Apache if you don't want to use mod_md.

[0] https://httpd.apache.org/docs/trunk/mod/mod_md.html

[Const-me]

I don't like when Google, or anyone at all really, tries to globally police the internets.

It's up to web site owners to decide whether to implement encryption, and up to users to decide whether to use these web sites or not.

[wepple]

Website owners can decide: don’t use a cert.

Users can decide: find a browser which doesn’t put importance on cert usage. You’ll find this hard to find because every browser manufacturer realizes that 99.9% of users cannot make sound security decisions, so they shouldn’t have to. Things should default to secure.

There’s a trade off between protecting users and having a 100% free and open internet. An insecure internet is untrustworthy and therefore not useful, IMO.

[prepend]

So what. We’ve all done this stuff and it’s fun for like 5 minutes.

It’s been possible for decades and doesn’t end up being a common problem. And even if it was the risk is just crap injected into someone’s blog.

[wepple]

> It’s been possible for decades and doesn’t end up being a common problem.

https://news.ycombinator.com/item?id=3804608

This is far more common than you think. ISPs, hotels, cafes, mobile providers do this en masse far more than you think. Have you forgotten the NSA “SSL added and removed here”? That was a highly targeted attack against infrastructure. What we’re discussing here is 10x easier to achieve.

> And even if it was the risk is just crap injected into someone’s blog.

That “crap injected” has full control over the DOM, any authentication, and everything displayed. How many of your users would happily put their creds into a fake login modal that popped up claiming to be SSO for a popular identity provider?