One thing I have recently tried out is to prevent all outbound traffic headed towards a port 80. This doesn't <i>necessarily</i> block all HTTP traffic but it blocks any standard http setup.<p>My expectation was that this would break a lot of the web and a lot of peripheral desktop applications, which I thought would phone home via port 80 to ask for updates and so on. In fact, almost nothing broke at all! So I've kept that turned on. Can recommend doing this if anyone wants peace of mind.<p>It's very easy to set up with the Windows firewall. Not so sure about other firewalls. (Note the difference between "block outbound traffic on port 80" and "block all traffic destined to port 80 on the remote machine" - I did the latter)
Does this mean we can finally go back to HTTP for connections that don't NEED to be secure without being attacked for it by security Nazis?<p>Seriously, though, the far bigger problem is the need for better handling of certificates (often permanent) for embedded servers such as IoT devices. Cert management is still a <i>huge</i> and pretty much unfixable problem for real world deployments once you get outside the realm of propellerheads like us, and recognize that in the real world, "servers" often lack not just professional, competent administrators (which are required even by all current HTTPS solutions), but administrators, period.
I think HTTPS has been oversold. We've had a very myopic focus on men in the middle, which, for sure are a problem, but they aren't the only problem, the first problem, or the last problem in digital security.<p>HTTPS helps against some attack vectors, but makes you incredibly vulnerable to others. It essentially forces you to blindly trust your software, since you can no longer inspect what is entering and leaving your network. Especially as it's becoming ever more common that our software dials home with opaque "telemetry" that for all we know could contain anything.<p>HTTPS protects you against the neighbor's 17 year old son with his pringles cantenna and laptop full of scripts, but makes you much more vulnerable from large scale attacks, which become much more viable for those who have the capital to back them.<p>It's pretty dang weird that EFF has been leading this charge, especially in the wake of Snowden.