Hacker News new | ask | show | jobs
by pornel 4070 days ago
This article is written as if "Should we use HTTPS?" was still an open question. That boat has sailed.

If you can't allow SSL on your network, you can't allow use of Google and about 2000 sites which browsers will not even try opening via HTTP:

https://code.google.com/p/chromium/codesearch#chromium/src/n...

Jail libraries and magic-cookie-hunting hackers have an option of installing their own CA certificate. This is supported by all browsers. It's not hard, even Lenovo malware can do it.
1 comments
phkamp 4070 days ago
"Should we use HTTPS" is very much a closed question, and for a lot of sites the answer is a resounding "NO".

The fact that you might not use those sites doesn't mean that we who deliver tools for them can just ignore them, or even worse, impose our political agenda on them.

You can do HTTPS with Varnish if you want to, but you'll have to do it with the architecturally and security-wise most sensible configuration: With a SSL terminating proxy in front of Varnish.

And again: Talk to your legislators about peoples right to privacy, I'm just pointing out that such laws exist, I'm not writing them (or for that matter agreeing with them.)

link
pornel 4070 days ago
In places like jails, schools, and libraries (where the owner can add a compromised CA cert and users don't have permissions to remove it) it's entirely possible to MITM and decrypt all TLS traffic, so I don't get why you're still arguing as if that wasn't the case.

While the long tail of sites isn't on HTTPS yet, the most popular ones are HTTPS-only already, and the result is that in Chrome HTTPS sites are browsed more often than HTTP sites:

https://plus.google.com/+IlyaGrigorik/posts/7VSuQ66qA3C

link