Hacker News new | ask | show | jobs
by badsectoracula 1797 days ago
Why is this something the sites have to care about? This is an issue to take with your ISP.
2 comments
jefftk 1797 days ago
My ISP is fine. But no way am I going to let anyone who happens to be upstream of my visitors make arbitrary changes to my site!
link
badsectoracula 1797 days ago
Sure but what i asked wasn't about your own site but why it is something sites have to care about when the actual issue is with ISPs (in the case where ISPs are injecting ads or other stuff). There are *WAY* more sites than ISPs and the party that is wrong here is the ISP, not the site.
link
jefftk 1797 days ago
Even though there are far more sites, it's a matter of incentives:

* ISPs and other intermediaries have the wrong incentives: reading and modifying plaintext traffic can be very profitable.

* Sites have the right incentives: they don't want to be messed with or snooped on.

link
soheil 1797 days ago
What makes you think HTTPS is going to prevent that? You can without much effort generate your own SSL certificate and MITM attack HTTPS traffic [0]. Not sure why to win an argument you stop short of the place where your argument would fall far apart, but not a single step further.

https://www.charlesproxy.com/documentation/proxying/ssl-prox...

link
MrRadar 1797 days ago
Of course you can MITM HTTPS if you get the end user to install a custom CA, the point is that those are extra steps that few users will take (and if my ISP ever required that I would switch to a different one immediately since that's shady as hell).
link
soheil 1797 days ago
And how prevalent is the practice of ISPs injecting packets into non-HTTPS traffic? Seams like OP is trying to argue against HTTP just because of a few ISP bad actors. HTTP is simpler, faster, less complex and requires much less initial configuration to set up. It also seems to me that HTTPS would be a great way for an evil tech monopoly (Google?) to solve the user attribution problem much more accurately in a cookie-less world (if you control the browser "Chrome" and the server "AMP" you just need to make sure the link between the two is encrypted to identify the user.) So I'm always worried whether opponents of HTTP have not been somewhat indoctrinated.
link
Seirdy 1797 days ago
> And how prevalent is the practice of ISPs injecting packets into non-HTTPS traffic?

Is there anything preventing page alteration on unencrypted connections? There's certainly an incentive to do so.

link
afiori 1797 days ago
could that be argued to be a violation of the DMCA?
link
Seirdy 1797 days ago
Do you think a complaint from all three customers in your area who understand the issue is going to change anything, especially when options are limited and your only choices of ISP are engaging in the same behavior?

On unencrypted connections, there's nothing preventing an intermediary from altering a page. Assume it happens.

link
badsectoracula 1796 days ago
A complain by three people wouldn't make much but if it is just three people in an entire country then the issue doesn't matter much in the first place.

On the other hand, a complain by all the customers of the service over the entire country who understand the issue could make a difference.

link