|
|
|
|
|
|
by enzanki_ars
1860 days ago
|
|
|
Like others have said, I agree that stating that TLS does not garuntee security. But, plain unencrypted HTTP does mean insecure. For a good discussion into why _all_ websites should use HTTPS, and the many different ways that not having the connection secured is actively harmful and why should not be done in the modern era. https://www.troyhunt.com/heres-why-your-static-website-needs... Not having your site as HTTPS puts all of your website visitors at risk. Even US ISPs like that of Comcast use these very same practices to inject warnings into insecure web traffic[0], some of which look more like advertisements than warnings. And like mentioned in the article, promises from ISPs not to use it for advertisements are just that, promises, and those can be broken in an instant. And when you have the power to inject anything without notice, you can do anything and everything with the website experience. You can attempt to force a download, present scam pages that look like antivirus warnings or software updates, one of the easiest ways to have users fall for malware. We should _never_ expect regular non-technical users to have all of their threat models in mind, nor should they be expected to understand all of these differences. Website owners should be expected to protect all of their visitors as best as possible and one of the easiest ways to start is by protecting their website with modern HTTPS encryption. Otherwise, it would be like a chef leaving the bones in a salmon before serving to a customer. You could do leave them in, but a customer might not know they are there and you have left a choking hazard. [0]: https://gizmodo.com/comcast-to-customer-who-noticed-it-secre... |
|
|
No, it does not. These are bold statements made without evidence that your personal preference should override the threat model of information owners -- that they must worry about something they have looked at and chose not to view as a threat. I once had a website that had Hebrew drills, so you could look up the construct forms of various nouns and other grammatical information. I did not care if an attacker in a coffee shop or other public network was trying to intercept that site and give a victim incorrect Hebrew words. It was not a threat in my threat model. So I did not use https. My website, my information, and I know the threat model to use. My site would not have been more "secure" if everything was encrypted. There would be no meaningful benefit to anyone from me doing that, and being a security professional, I was not interested in security theater, but only actual security.
> We should _never_ expect regular non-technical users to have all of their threat models in mind
Correct. That is why the threat model of the information owner is what determines what a site serves. Information owners generally do have a threat model in mind. It is, after all, their information, their website, and their security policies that matter. They are the ones in a position to decide whether they care if their http responses are altered or not in targetted attacks on public networks. Obviously a site that accepts credentials or displays sensitive information is very different from a site that displays verbal patterns. The fact of the matter is that in many cases, there is no need to care and no real security benefit to encrypting the site.