Unable to load image
/h/slackernews House Vampire Founder
SN mayo/cide :marseymayo: :marseyrapscallion:  2yr ago (sininenankka.dy.fi) 298 thread views #103733

How did this make the frontage and why? :marseyitsover: Why HTTP without encryption and self-signed sertificates are OK

https://sininenankka.dy.fi/~sami/httpencryption.txt

:#marseydisagree:

23
New Old Top Bottom Controversial Random
Jump in the discussion.

No email address required.

View entire discussion

For anybody, who doesn't want to visit the page:

Why HTTP without encryption and self-signed sertificates are OK

Encryption is important. It is used to make sure that no-one eavesdrops the 
data transmission or injects something like ads or malicious scripts into the 
content. However, there still are, and always will be, valid reasons to also 
allow the use of HTTP without encryption.

1) There are many different levels of protocols, and HTTP is only one of them.

Modern computer networking is based on something called "protocol stacking". 
Basically there are many different protocols acting as a payload to another 
protocol. Usually under HTTP there is at least two other protocols, TCP and IP. 
When we are encrypting a HTTP connection, we are only adding one more protocol 
(TLS) between the HTTP and TCP protocols.

When connecting to the internet required calling the ISP with a modem, it was 
possible to encrypt the whole call - that way every protocol in the stack, 
including TCP/IP, became encrypted. With a completely encrypted protocol stack 
the HTTP protocol doesn't need TLS to prevent man-in-the-middle attacks, if the 
server also has (and it probably will have) a trusted connection to the public 
internet and the route of the packages between the server and the user's ISP is 
known.

Although with modern internet connections it is unusual to have the whole 
protocol stack encrypted, some users may still have a completely encrypted 
protocol stack. In these cases it is completely acceptable to use unencrypted 
HTTP at least for accessing static content.

2) The route of packages is sometimes known to be safe.

Often the route of the packages is also completely known (for example in 
intranets), and sometimes in these cases, there is even no routing to the 
public internet available, which makes it impossible to update the root 
certificates easily. Using TLS in these conditions can be troublesome.

That works only if you 100% trust your environment, which is not the case anymore. Currently Zero Trust architecture is the closest one to be as safe as possible on the internet, and it forces encryption on everything, even in LAN/intranet.

3) Are we encrypting a wrong protocol?

Adding an encryption with a certificate to the protocol stack doesn't 
automatically improve security. We have to understand what is the confidential 
data that we want to encrypt, and in what level of the protocol stack should 
the encryption be so that it prevents any unauthorized people from seeing the 
confidential data.

For example, modern instant messaging platforms like Discord, Facebook, 
Snapchat etc. encrypt the connection between the client and the server and 
therefore falsely advertise themselves as "secure". However there is no 
end-to-end encryption, and anyone who has an access to the server can also see 
the messages - and this includes not only the administrators of the messaging 
platform but also any national intelligence agencies and other often malicious 
actors.

The correct way to do it is to encrypt the messages (or whatever payload is 
transmitted between the clients) in the sender's client and then decrypt them 
in the receiver's client. That way the server cannot see the unencrypted 
content. That's also what end-to-end encryption means.

Encrypting a wrong protocol without a proper reason may at best only create 
more overhead and consume more bandwidth and CPU time than is needed, but at 
worst it may create a false sense of security.

There is no "wrong protocol" there is "who do you trust:

  • use end-to-end if you don't trust anybody
  • use TLS/VPN if you don't trust ISP and BGP, but you trust the server (most common case)

Worrying about CPU time in 2022?

4) Self-signed certificates are normally safe, and malicious sites these days 
usually have "trusted" certificates.

There used to be a time when malicious websites usually didn't have encryption 
at all, or if they had, their certificate was self-signed. Let's Encrypt 
changed that. Now every malicious site has a certificate that appears trusted, 
and there will soon be a need of having different levels of "trust", where 
free-of-charge certificates like the ones from Let's Encrypt will become 
essentially untrusted.

This is a problem that cannot be solved. Self-signed certificates used to be 
considered fine, but now every mainstream browser shows a scary warning before 
entering a site with such certificate. The same will happen to the certificates 
from Let's Encrypt and then it will again be impossible to get a trusted 
certificate for free.

However, there is nothing wrong with self-signed certificates as long as the 
browser actually shows the relevant information (the public key etc.) so that 
the user can make sure that the other end of the connection really is what it 
claims to be. When used properly, self-signed certificates are actually safer 
than certificates from Let's Encrypt. Showing the user nonsensical warnings like 
"Someone is trying to steal your credit card information!!!!11" only creates 
confusion and misconceptions about security.

Phishing websites also did not have lookalike domains before unicode characters 
were allowed in domain names. That itself is much more dangerous problem than 
having no encryption, because it is harder to notice.

Just remember all certificate fingerprints and validate them yourself. How hard can it be?


5) Allow using the site with retro hardware.

People are using the internet with old hardware for variety of reasons. Some do 
it for fun, and some do it because they cannot afford a newer, more modern 
device. Continually imposing new technical requirements for accessing the site 
may be discriminating against these people.

Sometimes the server itself can also be archaic hardware (for example a 
Commodore 64 or a 486 PC) for reasons. The server and/or the client computer 
can also sometimes have a completely homebrew software stack that is not capable 
of doing modern encryption.

6) Let the user decide.

By convention the TCP port 80 is used to serve non-encrypted content and the 
port 443 is used to serve the content encrypted via TLS. There is no valid 
reason to change this. Web browsers, and in many cases also servers, should 
respect the user's choice.

Users are lazy, stupid, or both. They don't want to think what to do, they just want to watch pictures of cats or buy concert tickets.

Jump in the discussion.

No email address required.

All them words won't bring your pa back.

Jump in the discussion.

No email address required.



Now playing: Fear Factory (DKC).mp3

Top Poster of the Day:
911roofer
Current Registered Users: 30,838
sidebar image

tech/science swag. :marscientist:

Effortposts made by SN Chads

Guidelines:

What to Submit

On-Topic: Anything that good slackers would find interesting. That includes more than /g/ memes and slacking off. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual laziness.

Off-Topic: Most stories about politics, or crime, or sports, unless they're evidence of some interesting new phenomenon. Videos of pratfalls or disasters, or cute animal pictures. If they'd cover it on TV news, it's probably lame.

Help keep this hole healthy by keeping drama and NOT drama balanced. If you see too much drama, post something that isn't dramatic. If there isn't enough drama and this hole has become too boring, POST DRAMA!

In Submissions

Please do things to make titles stand out, like using uppercase or exclamation points, or saying how great an article is. It should be explicit in submitting something that you think it's important.

Please don't submit the original source. If the article is behind a paywall, just post the text. If a video is behind a paywall, post a magnet link. Fuck journos.

Please don't ruin the hole with chudposts. It isn't funny and doesn't belong here. THEY WILL BE MOVED TO /H/CHUDRAMA

If the title includes the name of the site, please leave that in, because our users are too stupid to know the difference between a url and a search query.

If you submit a video or pdf, please don't warn us by appending [video] or [pdf] to the title. That would be r-slurred. We're not using text-based browsers. We know what videos and pdfs are.

Make sure the title contains a gratuitous number or number + adjective. Good clickbait titles are like "Top 10 Ways to do X" or "Don't do these 4 things if you want X"

Otherwise editorialize. Please don't use the original title, unless it is gay or r-slurred, or you're shits all fucked up.

If you're going to post old news (at least 1 year old), please flair it so we can mock you for living under a rock, or don't and we'll mock you anyway.

Please don't post on SN to ask or tell us something. Send it to [email protected] instead.

If your post doesn't get enough traction, try to delete and repost it.

Please don't use SN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity. If you want to astroturf or advertise, post on news.ycombinator.com instead.

Please solicit upvotes, comments, and submissions. Users are stupid and need to reminded to vote and interact. Thanks for the gold, kind stranger, upvotes to the left.

In Comments

Be snarky. Don't be kind. Have fun banter; don't be a dork. Please don't use big words like "fulminate". Please sneed at the rest of the community.

Comments should get more enlightened and centrist, not less, as a topic gets more divisive.

If disagreeing, please reply to the argument and call them names. "1 + 1 is 2, not 3" can be improved to "1 + 1 is 3, not 2, mathfaggot"

Please respond to the weakest plausible strawman of what someone says, not a stronger one that's harder to make fun of. Assume that they are bad faith actors.

Eschew jailbait. Paedophiles will be thrown in a wood chipper, as pertained by sitewide rules.

Please post shallow dismissals, especially of other people's work. All press is good press.

Please use Slacker News for political or ideological battle. It tramples weak ideologies.

Please comment on whether someone read an article. If you don't read the article, you are a cute twink.

Please pick the most provocative thing in an article or post to complain about in the thread. Don't nitpick stupid crap.

Please don't be an unfunny chud. Nobody cares about your opinion of X Unrelated Topic in Y Unrelated Thread. If you're the type of loser that belongs on /h/chudrama, we may exile you.

Sockpuppet accounts are encouraged, but please don't farm dramakarma.

Please use uppercase for emphasis.

Please post deranged conspiracy theories about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and dang will add you to their spam list.

Please don't complain that a submission is inappropriate. If a story is spam or off-topic, report it and our moderators will probably do nothing about it. Feed egregious comments by replying instead of flagging them like a pussy. Remember: If you flag, you're a cute twink.

Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. That's too boring, even for HN users.

Please seethe about how your posts don't get enough upvotes.

Please don't post comments saying that rdrama is turning into ruqqus. It's a nazi dogwhistle, as old as the hills.

Miscellaneous:

The quality of posts is extremely important to this community. Contributors are encouraged to provide high-quality or funny effortposts and informative or entertaining comments. Please refrain from posting the following:

  • Boring wingcucked nonsense nobody cares about that belongs in chudrama

  • Normie shit everyone already knows about

  • Anything that doesn't gratifify one's intellectual laziness

  • Bimothy-tier posts

  • Anything that the jannies don't like

Jannies reserve the right to exile baby ducks from this hole at any time.

We reserve the right to exile you for whatever reason we want, even for no reason at all! We also reserve the right to change the guidelines at any time, so be sure to read them at least once a month. We also reserve the right to ignore enforcement of the guidelines at the discretion of the janitorial staff. This hole is a janny playground, participation implies enthusiastic consent to being janny abused by unstable alcoholic bullies and loser nerds who have nothing better to do than banning you for any reason or no reason whatsoever.

[[[ To any NSA and FBI agents reading my email: please consider ]]]

[[[ whether defending the US Constitution against all enemies, ]]]

[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

https://i.rdrama.net/images/1663436125937968.webp

BROWSE EFFORTPOSTS SITE GUIDE DIRECTORY Emojis & Art | Info Megathreads HOLES PING GROUPS
/h/slackernews SETTINGS /h/slackernews MODS /h/slackernews LOG /h/slackernews EXILEES /h/slackernews FOLLOWERS /h/slackernews BLOCKERS
Link copied to clipboard
Action successful!
Error, please refresh the page and try again.