[tomtomtom777]

Please use HTTPS.

I use HTTPS only. I don't think HTTP is acceptable for anyone let alone a technical blog post. It takes a few minutes, and it prevents me and all your visitors from getting all kinds of MITM injections.

Thanks.

[Fwirt]

It also prevents all kinds of clients who (for various reasons) can't implement SSL from visiting your website. I'm sure this is a "small web" blog, whose author wants to be visited by e.g. a Commodore 64, an OS 9 iMac, or somebody who just wants to telnet in. If the sensitivity of the information on this page was critical or you were going to be submitting information then by all means yes, SSL is important, but if you're going to be reading a personal blog about calendars then http is probably fine. Of course the ideal solution is offering both and letting the client choose.

[pc86]

Man I really hope this doesn't get autoflagged because people need to see that this is an opinion people actually have, and what the (justified) reaction to it is.

HTTPS on a blog does nothing. It doesn't protect you from anything. I guarantee you're not getting "all kinds of MITM injections" on this block of text. The only reasonable desire I can think of for "HTTPS everywhere" is hiding the content from your ISP but a) they still see the URL so they can get the content if they want it, and b) if you're so worried about that, use a VPN which coincidentally is even better because it will also hide the URL, and most importantly c) it puts the onus on you, the person who wants the thing, instead of hundreds or thousands or tens of thousands of text-only website owners who rightly couldn't care less about HTTPS.

[foobiekr]

>I guarantee you're not getting "all kinds of MITM injections" on this block of text

You actually can’t guarantee anything of the sort. BGP hijacks are real.

[rnhmjoj]

> they still see the URL so they can get the content if they want it

That's incorrect, a MitM can only reveal the server hostname by inspecting the SNI during the TLS handshake, but the HTTP request, including the URL and headers, is encrypted.

[pc86]

Surely your ISP can see every URL you visit if they have a reason to? They're routing the traffic.

[rnhmjoj]

No they can't. They obviously know the IP addresses, but that's not terribly useful since everything is behind a cloudflare proxy nowadays. The server hostname may provide some more information, if the server doesn't support ECH [1], but the full URL is encrypted.

https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt...

[mandevil]

If you use HTTPS they can see that you hit wikipedia (they will see you are trying to do a DNS lookup for en.wikipedia.org), but they can't see that you are viewing https://en.wikipedia.org/wiki/Hundeprutterutchebane in particular- that is only available to someone who can read the body of the HTTP request, which with HTTPS is encrypted.

[NetMageSCW]

Routing only shows the server IP address, which isn’t very useful if it is AWS or Azure or CloudFlare or some other CDN.

[zarzavat]

> HTTPS on a blog does nothing.

It does nothing now. There used to be ISPs who injected ads into web pages as an additional revenue stream. This stopped being a viable strategy precisely because browsers forced a transition to HTTPS.

Also your ISP doesn't get to see the URL under HTTPS. They get to see the IP address and SNI if not encrypted. This may reveal the blog if the blog is not behind cloudflare etc.

[voidfunc]

MITM attack on a read-only text webpage... okay.

More annoying is the slightly shiny/shaded text that is supposed to highlight something. Who chose this style palette?

[Aesthetikx]

Haha this is my blog -- its pretty new. I agree it's readability is less than ideal -- going to change it at some point. HTTPS as well probably at some point. Its been an experiment for me doing everything by hand. The entire blog is a large single Rakefile using Markaby :)

[lentil_soup]

for what is worth, I actually liked the shaded links, they made me smile :)

[zzo38computer]

Even just disabling CSS makes it readable. For HTTPS, I think that (like someone else mentioned) it should be made optional (at least for read-only access to public files) rather than mandatory.

[himata4113]

check out certbot + install certbot renew into crontab. Get the python3 variant the "native" package is outdated and removed from newer systems.

[foobiekr]

It’s html. Which is code that your browser executes.

Millions of routers are compromised. BGP attacks happen. Anything http stands out as an interesting target for injection.

This position is foolish. It’s not a major ask to enable https.

[pavon]

For a random blog you have never visited before and have no reason to trust. It could attempt to do all the malicious things that you are worried a man in the middle would do.

[themafia]

The browser still has to execute code over HTTPS. You've just moved the injection perimeter from inside my own network into the providers website. I don't think you've fundamentally changed your level of risk unless you spend a huge amount of time browsing on shared password WPA protected wifi networks.

You cannot browse to sites under any regime and execute code while expecting security to exist.

[toast0]

> BGP attacks happen.

If you control the IP a domain name points to, you can get a certificate issued. Https might help on a small BGP takeover, but it might very well not.

[himata4113]

I think you would have a better argument if you said something like: "I don't want my ISP knowing about the content I read" or something along those lines. MITM for a text download is like saying we have to have https for dns (yes DoH exists now), but the point still stands. You aren't sending any sensitive data to the website, MITM is unlikely.

[brewmarche]

Without HTTPS someone could alter the content, spread false information, inject ads, malware, and other stuff, redirect to some other site, …

(This is a general remark, but it goes for a blog post like this as well.)

[himata4113]

It's still a weak argument since it's extremely rare in practice that's why I suggested blaming the ISP instead since ISP's are the ones that have historically tampered with http content.

[Orygin]

It's rare in practice because everyone and their mothers run HTTPS now.

[foobiekr]

Attacks in general are all rare in practice in the grand scheme of the internet. So?

[himata4113]

Yes, that's why you present a better argument, that's the entire conversation.

[reaperducer]

Not everyone has to prepare their home for a leopard attack.

[Joker_vD]

The site owners could do all of that even with HTTPS, and no-one would revoke their certs. Just saying.

And the best Windows malware is actually digitally signed.

[SAI_Peregrinus]

I no longer have an ISP that injects ads into HTTP-only pages, but I did have one once. MITM is quite possible.

[OkayPhysicist]

Without HTTPS, every link in the chain between me and your website is a potential attack vector. Maybe I trust my ISP, but do I trust my buddy's cheapo router? What about the shadowy cabal that offers airport wifi?

With static webpages, the concern isn't someone snooping in on what I'm reading. It's someone injecting content, probably malware, into the page. Let's say I have a zero-click exploit for Chrome. What can I do with it? If I just stick it on a page I control, best I can hope for is spamming it all over the web and hoping someone clicks on it. Probably not a lot of impact before it gets patched. If instead, I can wait until some router firmware gets pwned, or an ISP, I can do a mass attack where I make all the vulnerable routers inject my exploit into all non-HTTPS web requests. Much greater exposure.

[butlike]

Just as a reminder, this was standard before SSL/TLS. Every webpage was http-only.

[1-more]

I can't view this blog on my work laptop. Runs afoul of our firewall. Self signed certs do too.

[hamdingers]

Surprised this is downvoted. Chrome forces me to click through a warning to even visit HTTP sites nowadays.

[dredmorbius]

"Please don't complain about tangential annoyances..." <https://news.ycombinator.com/newsguidelines.html>.

A long-standing HN guideline. Regardless of how merited the complaint may be.

[stronglikedan]

It only does that for me if there's an HTTPS option available but it's expired or not configured correctly. Chrome let me right into this site without that warning.

[hamdingers]

Turns out the warning I get is due to the Chrome setting "Always use secure connections"

I don't remember turning it on but it's probable that I did, it's not a default yet but will be come October: https://blog.google/security/https-by-defau/

[LtWorf]

Yup, very secure. Then every single IT department installs a cert on the machines to MITM everything.

[hamdingers]

I have no idea what you're trying to say, there's no IT department managing my laptop and none of the IT departments I've worked in or with "MITM everything." Do you want to try again?

[pc86]

On the flip side, every company I've ever worked for has installed trusted company certs on their computers and do MITM everything.

[Joker_vD]

Yep. You apparently need HTTPS for intranet resources too, or you can't develop/use web-apps in Chrome, and since no self-respecting CA would certify your localhost, internal homegrown CA it is, baby — and given the web runs on the lovely model "any CA can attest any website; okay, maybe CAA is not a bad idea"...

[NoahZuniga]

Even with CAA records, any CA can still create a cert for any website. So if you're worried about an untrustworthy CA, then this won't help you.

It could make it less likely for a CA with buggy code to accidentally issue a cert for your domain.