Still Why No HTTPS?

1. The requirement to involve a 3rd party certificate authority is a needless power grab. Giving in ends the hope that it will ever get changed.<p>2. There is currently only one free cert provider, if there are ever issues with it, your users will see a scary error message which will make them think there are security issued with your website.<p>3. Downloading and running code from a 4th, or 5th party and giving it access to your config files is not &quot;more secure&quot;.<p>4. The culture of fear around HTTPS, meaning only the &quot;most secure&quot; or &quot;newest&quot; protocols and cipher suites are to be used. This prevents older clients from working, where HTTP works just fine.<p>5. HTTPS is needlessly complex making it hard to implement. There have been several security vulnerabilities introduced simply by its use.<p>6. If you can&#x27;t comply with the OpenSSL license, implementing it yourself is a hopeless endevour.<p>SSL was developed by corporations, for corporations. If you want some security feature to be applicable to the wider Internet, it needs to be community driven and community focused. Logging in to my server over SSH has far more security implications than accessing the website running on it over HTTPS. Yet, somehow, we managed to get SSH out there and accepted by the community without the need for Certificate Authorities.

Why do browsers punish non-verified certs much harder than no-cert?<p>If I want to quickly host my page and use encryption, then I have go through all that hustle to make it work. Perhaps allow use of self-signed certificates on same level as http instead of blocking my website.

Because there is only one free certificate provider (lets encrypt) and it does not allow wildcard certificates via server authentification.<p>Having the DNS credentials laying around on the server is not a good idea. So creating wildcard certs via letsencrypt is a huge pain in the ass.<p>If a webmaster has control over somedomain.com I think that is enough to assume he has control over *.somedomain.com. So I think letsencrypt should allow wildcards to the owner of somedomain.com without dabbling with the DNS.<p>The way things are now, I don&#x27;t use ssl for my smaller projects at smallproject123.mydomain.com because I don&#x27;t want the hassle of yet another cronjob and I sometimes don&#x27;t want the subdomain to go into a public registry (where all certificates go these days).

The article says googletagmanager.com has HSTS preloading. But it doesn&#x27;t.<p>This is easily testable. I view the website in both Chrome and Firefox, and it&#x27;s http, not https.<p>Sure googletagmanager.com is in the preload list, but it doesn&#x27;t have &quot;mode&quot;: &quot;force-https&quot;. It just has certificate pinning, not HSTS.

Because HTTPS is not as easy as HTTP.<p>Sure there is Let&#x27;s Encrypt and if you are facing Internet you are probably good to go.<p>If you are on an internal network, then good luck. You need to build a PKI, and then put into your devices the right certificate so that it is trusted.<p>If it was simpler, Apache would sing out its &quot;It works!&quot; in HTTPS and not HTTP.

There is one &quot;good&quot; reason against https: handshakes take enormous amounts of CPU, relatively speaking. It&#x27;s quite easy tp DoS server by skipping the expensive part on your end. You can load a core with 10~30Mbit@2k rps if your not even optimized.<p>Whereas the same server could tank 40k rps HTTP requests.

My biggest gripe with the current de facto recommended approach (even mandated in HSTS) is that you need to redirect to https from untrusted http.<p>So you are being forced to either not serve http, or to condition users to trust MITM-able redirect. How many people will notice a typoed redirect to an https page with a good certificate?<p>The solution is simple: browsers should default to https, and fall back to http if unavailable. Sure, some sites have broken https endpoints, but browsers have enforced crazier shit recently.

&quot;gnu.org&quot; is on the list marked as a Chinese website...

One annoyance with this system, from the linked webpage:<p>&gt;an expectation that a site responds to an HTTP request over the insecure scheme with either a 301 or 302<p>Doing things this way is the final nail in the coffin for Internet Explorer 6, since IE6 does not use any version of SSL which is considered secure here in 2019. And, yes, I have seen in people the real world still using ancient Internet Explorer 6 as recently as 2015, and Windows XP as recently as 2017.<p>Which is why I instead do the http → https redirection with Javascript: I make sure the client isn’t using an ancient version of Internet Explorer, then use Javascript to move them to the https version of my website. This way, anyone using a modern secure browser gets redirected to the https site, while people using ancient IE can still use my site over http.<p>(No, I do not make any real attempt to have my HTML or CSS be compatible with IE6, except with <a href="https:&#x2F;&#x2F;samiam.org&#x2F;resume&#x2F;" rel="nofollow">https:&#x2F;&#x2F;samiam.org&#x2F;resume&#x2F;</a> and I am glad the nonsense about “pixel perfect” and Flash websites is a thing of the past with mobile everywhere)

Preloads list is an absolute kludge that does not and will never scale and creates a huge deal of problems and works only for specific browsers.<p>The task is not as simple as using DNS to store strict https flags(as DNS can be manipulated by intermediary), but hardcoding the lists in the browsers and keeping the lists in the chrome&#x27;s code is definitely not a solution.

I mostly have port 80 egress traffic blocked on Little Snitch. The web is painful to use like that but gives you an idea of the sorry state of websites.<p>A lot of websites just don&#x27;t serve over HTTPS, or serve them with domains whose CN or SAN don&#x27;t match the host.<p>Many that do support https have links that downgrade you back to http on the same domain.

One thing that surprised me was how hard it was to set up https https redirects for websites on aws and Google cloud. I needed too set up a load balancer to do https.<p>The redirects are also hard, I have a static site using Google storage and I have to create a server instance and redirect from there because it&#x27;s not possible to do an automatic redirect. I don&#x27;t know why the big cloud hosting providers aren&#x27;t cooperating to make full https implementation easier.

Recently an OpenShift cluster I admin went down because of long-lived certs not being rotated in time. There are many clients, servers, nodes, services, and configs involved, so rotating is non-trivial, so of course it&#x27;s automated, and of course because it&#x27;s not tested regularly, the automation just doesn&#x27;t work after a while. Using the automation only seems to make things worse, and getting everything working again ends up taking days.<p>PKI is technically the best practice for these systems, but it&#x27;s also the most fragile and complicated. At a certain point, if the security model is so complex that it becomes hard to reason about, it&#x27;s arguable that it&#x27;s no longer a secure model, to say nothing of operational reliability.<p>I also have a whole rant about how some business models and government regulations <i>literally require inspecting TLS certs of critical transport streams</i>, and how the protocols are designed only to prevent this, and all the many problems this presents as a result, but I don&#x27;t think most people care about those concerns.<p>Oh, and gentle reminder that there are <i>still</i> 100% effective attacks that allow automated generation of valid certs for domains you don&#x27;t control. It doesn&#x27;t happen frequently (that we know of) but it has happened multiple times in the past decade, so just having a secure connection to a website doesn&#x27;t mean it&#x27;s actually secure.

Is it still the case that when you think you connect in https to a website, only the segment to cloudflare is encrypted and the segment cloudflare to the web server might not be?

The biggest problem with forcing everything HTTPS is a false sense of security &amp; trust that this gives to none-techie users.<p>Security of the data transfer layer does not mean can or should trust the website you are visiting.<p>Just because a website has a padlock does not mean it is trust worthy and you can hand over your CC details.<p><a href="https:&#x2F;&#x2F;www.amazon.somethiing.other.co&#x2F;greatDiscount" rel="nofollow">https:&#x2F;&#x2F;www.amazon.somethiing.other.co&#x2F;greatDiscount</a> may look great to some!

Maybe I’m wrong, but I feel SSL has a downside of relying on more centralization. If a visitor to my totally-static webpage wants to bypass that layer and request the http version directly, I’m going to let them. (Obviously not excited about the idea of being mitm’d but it’s not a security risk, so leave that tradeoff up to the visitor).

One <i>potentially</i> good reason to not force SSL: <a href="https:&#x2F;&#x2F;meyerweb.com&#x2F;eric&#x2F;thoughts&#x2F;2018&#x2F;08&#x2F;07&#x2F;securing-sites-made-them-less-accessible&#x2F;" rel="nofollow">https:&#x2F;&#x2F;meyerweb.com&#x2F;eric&#x2F;thoughts&#x2F;2018&#x2F;08&#x2F;07&#x2F;securing-sites...</a><p>TL;DR: Secure websites can make the web less accessible for those who rely on metered satellite internet (and I&#x27;m sure plenty of other cases).

Because it&#x27;s always pain in the ass to set it up and then renew?

I consider myself young, but I&#x27;ve been around long enough to to rely on One True Service Provider for anything.<p>And &quot;Let&#x27;s Encrypt&quot; is not an answer to &quot;HTTPS is not free&quot;. It&#x27;s not. We all are going to see our projects outlive Let&#x27;s Encrypt (or their free tier).<p>In the end, nothing is secure. A dedicated attacker <i>will</i> find a way, given enough resources. Any security measure is just a deterrent.<p>My deterrent is that it&#x27;s not worth MITM&#x27;ing my personal website with, like, 10 monthly visitors. (The reader might gasp that I lock my bicycle with a chain that can be snapped in a second, and that a strong enough human can probably bash my home door in).<p>Anyway. It&#x27;s almost 2020, and if you are still advocating on moving the entirety of the Web to reliance on Big Centrally Good Guys, I really don&#x27;t know what else to say to you.

Because it&#x27;s hard and a pain.<p>Sure, depending on your setup it&#x27;s easy, but for a lot of setups it isn&#x27;t. Instead of trying to say HTTPS is easy and shame everybody who isn&#x27;t doing it more efforts should be diverted into creating an actual fully encrypted network that doesn&#x27;t need CAs.

It isn&#x27;t just web sites. Many software repos still use http or native rsync. Some would argue that you validate the packages with GPG, but you would be amazed if you saw how many people install the GPG public key from the same mirror they download software from.

Had to access an EOL device and couldn&#x27;t browse the web because of all ended certificates...

I don&#x27;t get it. With Lets Encrypt, it&#x27;s like one or two lines to get everything set up.<p>I&#x27;m guessing people aren&#x27;t as lucky as I am to be running on newer machines and such.<p>I mean it even edits your nginx files to redirect http to https if you agree. It&#x27;s not hard.

To provide a real-time solution to for printer hitches, get in touch with the experts of printer service. All technicians are well-trained and have years of skills to resolve the glitches. <a href="https:&#x2F;&#x2F;printerhelpcenter.com&#x2F;replace-brother-drum-error-message&#x2F;" rel="nofollow">https:&#x2F;&#x2F;printerhelpcenter.com&#x2F;replace-brother-drum-error-mes...</a> <a href="https:&#x2F;&#x2F;printerhelpcenter.com&#x2F;how-to-fix-canon-printer-error-b200&#x2F;" rel="nofollow">https:&#x2F;&#x2F;printerhelpcenter.com&#x2F;how-to-fix-canon-printer-error...</a>

Downvote time: Why HTTPS?<p>I made my own security: <a href="http:&#x2F;&#x2F;talk.binarytask.com" rel="nofollow">http:&#x2F;&#x2F;talk.binarytask.com</a>

Many of us have to host our websites on shared hosts that does not support HTTPS freely, HTTPS costs money in the third world

Am I missing something?<p>Lots of US sites on their NO HTTPS list come up in Safari as HTTPS. Rutgers.edu for example.

I have a reason not to use https.<p>I host a single site on a host (so, no login, subject name or path information to leak), which only contains details how to connect to my irc server at the same address.<p>If the message is altered then the most pain anyone will have is connecting somewhere else for the first time. (They won’t be automatically logging in if they’re using this page).<p>Why does everything need to be TLS? It feels like a cargo cult. A requirement: “because!”<p>In other scenarios it’s worth modelling threats and I agree that it’s good to err on the side of caution but aside from the modification of my connection information there’s no good tangible reason to incur an overhead in administration.<p>Although it should be noted; part of the reason that web server even exists is to do letsencrypt for a globally geobalanced irc network.

i still use <a href="https:&#x2F;&#x2F;neverssl.com" rel="nofollow">https:&#x2F;&#x2F;neverssl.com</a> daily. I hope it never goes away.

Service workers are a poor replacement for the shared HTTP cache, since the cache will not be shared among users.

Ability to write my own HTTP server from scratch. Content is for downloading and use offline.

As long as the worlds greatest surveillance system continues to be given deliberate access to the plaintext, I will continue not caring about HTTPS for websites that don&#x27;t have users logging into an account or submitting forms.

I clicked through to the list of sites. Embarrassing to see that mit.edu is not https by default! The same institution invented Kerberos. Come on MIT, fix this please.

what is about that site&#x27;s low contrast. My eyes can barely focus

Without HSTS preload anyone on your local network can arp&#x2F;dns spoof your traffic, MITM you, and automatically inject malicious javascript (cryptominers, credential-stealers, etc.), access all of the page content, and manipulate the page or response.<p>If you are connecting to a &quot;Free Public WiFi&quot; and the malicious actor is the one broadcasting the access-point; it&#x27;s even easier to MITM you.<p>Without Cert &amp; Key Pinning your employee laptop can be MITM by corporate to eavesdrop on all of your HTTPS traffic. The browser will show that the connection is secure, but it isn&#x27;t. When you pin the cert and key - even with a compromised corporate computer - the insecure site warning will show and you&#x27;ll be alerted to the fuckery.<p>&gt; Doing things this way is the final nail in the coffin for Internet Explorer 6<p>- Fucking great! Nothing else to say here.<p>&gt; handshakes take enormous amounts of CPU<p>- This is vastly overstated (enormous?). Also, this is called a tradeoff. Security isn&#x27;t free in time, money, or performance.<p>&gt; Preloads list is an absolute kludge that does not and will never scale... and works only for specific browser<p>- The preload list, right now, is 10.6mb and contains 90,862 entries. This seems to function and scale just fine. Seeding your browser with known values is really the best way to do this until 99.X% of web traffic is provided over HTTPS... Also Chrome, Firefox, Safari, IE&#x2F;Edge, and Opera make up 98% of all browser traffic today and they have all supported this standard for years.<p>&gt; The biggest problem with forcing everything HTTPS is a false sense of security.<p>- Defense in depth. Layering security controls is the only way to go. Also; this is some crazy mental gymnastics to take the position &quot;wearing a seatbelt is a false sense of security because you can still crash&quot;.<p>&gt; Because it&#x27;s hard and a pain.<p>- Feeling that pain is offset onto the attackers trying to compromise your site. If you don&#x27;t feel the pain; they don&#x27;t either.<p>&gt; Secure websites can make the web less accessible for those who rely on metered satellite internet... TLS 1.3 with 1-RTT should improve this situation.<p>- Even if your entire business depended upon delivering data to metered satellite internet users; the risk outweighs the cost when not encrypting your traffic. WARNING: DON&#x27;T IMPLEMENT 0-RTT OR 1-RTT WITHOUT UNDERSTANDING YOUR APPLICATION-SPECIFIC REQUIREMENTS. You can really fuck this up by not properly managing tokens between your webserver and application layer. Not recommended.<p>&gt; I don&#x27;t get it. With Lets Encrypt, it&#x27;s like one or two lines to get everything set up.<p>- True, but it get&#x27;s confusing really fast if you don&#x27;t 100% match the certbot use-case.<p>&gt; HTTPS is not an obligation.<p>- For 99% of people running businesses; it is.<p>&gt; Recently an OpenShift cluster I admin went down because of long-lived certs not being rotated in time.<p>- If you have had certbot running for a long time I would suggest you check your server logs TODAY and make sure your cron job is still working correctly. Recently there was a change with the certbot acme version requirement and your reissue might be failing. Seriously, take a quick look right now.<p>&gt; Because frankly, I neither trust letsencrypt nor the certificate authority system in general... but won&#x27;t help against industrial (e)spionage<p>- Places tinfoil hat on... you&#x27;re not wrong.

Because even Certbot is a massive pain to setup if you&#x27;re not using a very generic setup

HTTPS is not an obligation. Most people believe it&#x27;s a must these days, but it&#x27;s not. There is a nice rebuttal of Troy&#x27;s arguments on N-gate (via webcache as direct links from HN end up in an endless pseudo-captcha):<p><a href="http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:t_oVSNuTvIgJ:n-gate.com&#x2F;software&#x2F;+&amp;cd=1&amp;hl=en&amp;ct=clnk&amp;gl=pl" rel="nofollow">http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:t_oVSNu...</a>

Some websites adamantly insist they did not need HTTPS because they are purely static.<p><a href="https:&#x2F;&#x2F;www.troyhunt.com&#x2F;heres-why-your-static-website-needs-https&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.troyhunt.com&#x2F;heres-why-your-static-website-needs...</a><p>The same website to my surprise has an article on why this is faulty reasoning.

Because frankly, I neither trust letsencrypt nor the certificate authority system in general. This might prevent eavesdropping in your coffee shop wifi, but won&#x27;t help against industrial spionage powered by three-letter-agencies who probably control some of these authorities.