Hacker News new | ask | show | jobs
by echelon 962 days ago
You're being downvoted, but you're right.

I'm fine serving my personal website under http.

- If someone is worried they'll be found out using my site, then fine, don't use it. This advice is just for my site, and it's fine to desire security elsewhere and in other contexts.

- If an ISP or MITM want to inject some content in my website, then fine. We'll all know not to use those providers. I promise I'm not important enough for this to be a vector someone would want to exploit.

None of the information I have to offer you requires HTTPS. I assure you.

I think it's fine that https is becoming the default, especially for web services. But we shouldn't enforce it. It's an undue burden to have to support all the certificate machinery just to serve some basic info.

We really need to get back to the basic, easy to hack web. Where it took nothing to spin up services on your home machines and serve them as demos to others. That ethos was great.
2 comments
jacquesm 962 days ago
The web was fantastic until money got involved. And the best parts of the web are still where there is no money involved.
link
bobmaxup 962 days ago
When wasn't money involved?

Geocities was bought for $3.6 billion dollars by Yahoo in 1999. It lauched in 1994. The web is only three years older than that.

I had my first website on Angelfire in 1996 before my 10th birthday. WhoWhere purchased Angelfire a year later, and then they were bought by Lycos a year after that for $133 million.

Also, I don't remeber it being fantastic. To me, even with all faults considered, things are much nicer today.

link
stevenhuang 962 days ago
The point is not your safety, but the safety of all your viewers.

The more ubiquitous http is for the average internet user, the more worth the squeeze MITM becomes for the targeted user.

link
echelon 962 days ago
That's bullshit when you're accessing my website, where I have some photos of some old science projects and that's it.

A much better middle ground would have been for websites to advertise certain features (login, user accounts) and for browsers to warn when not using SSL. Or to do it based on some heuristic, such as cookie use on a given domain.

The current implementation keeps everyone non-technical from using http, which is a loss for everyone.

Google unilaterally got to make this decision for everyone. Small websites don't matter to their bottom line anymore. They've already scraped and indexed the content, pulled the value away onto walled gardens, and left that web to rot.

link
bobmaxup 961 days ago
I don't remember that being the reasoning:

https://www.youtube.com/watch?v=cBhZ6S0PFCY

Google I/O 2014 - HTTPS Everywhere

https://developers.google.com/search/blog/2014/08/https-as-r...

link
stevenhuang 961 days ago
you're still not getting it

it doesn't matter what content is being served

the point is if your site is on HTTP a third party may silently inject malicious code into the response.

any visitor that views your site now becomes subject to this threat vector.

you may argue nothing will come of it, sure, but then you should make that your argument.

link