undefined | Better HN

0 pointsjdormit7y ago0 comments

> SSL is useless for static content

This is just... false. Without SSL, static content can be MITM'd just like anything else. Don't believe me? Connect to the WiFi in any Starbucks and visit http://example.com. That redirect to the Starbucks WiFi login page certainly isn't being served from example.com...

Please stop spreading misinformation about SSL.

0 comments

5 comments · 1 top-level

Const-me7y ago· 4 in thread

> Connect to the WiFi in any Starbucks

Need to cross national borders for that, more than once.

> That redirect to the Starbucks WiFi login page certainly isn't being served from example.com

Also saw these things here in a couple of places. Most places here don’t charge for WiFi and have a single PSK key for all clients, but couple indeed ask for authentication this way.

I’m not sure how SSL helps? As a user, I don’t want to have access to WiFi blocked, I rather prefer redirects. Despite it’s technically MITM, it does the job i.e. allows to access the network.

> stop spreading misinformation about SSL

I have written that unless it’s credit card numbers or other sensitive content like e-mails or facebook messages, there’s very little security value in it, and it costs web sites owners. What exactly do you think is the misinformation in this statement?

thameera7y ago

While this may not answer all your questions, here's a good write up about the topic by Troy Hunt, a respected thought-leader in the industry: https://www.troyhunt.com/heres-why-your-static-website-needs...

ehnto7y ago

If your site is vulnerable to a MITM attack you are not protecting your users and someone can serve them anything. The security risk isn't people reading your blog in flight, it is people injecting your blog with malicious scripts that can compromise your users.

Would you be happy if when I visited your website I was asked for my credit card details through a phishing scam? Not secure for me, not a good look for your site.

JudgeWapner7y ago

completely ignoring privacy. ISP's "collect" (read: eavesdrop) on all data they can get their hands on.

Const-me7y ago

ISPs know IP addresses anyway, even with HTTPS. Same with DNS names.

SSL makes a lot of sense on web sites like facebook and youtube: users enter sensitive data there, servers serve terabytes of available content, not all of which is public, and even for public, the user’s selection is privacy-sensitive.

For a small static web sites, any person in the world can get their hands on all the content, that’s the whole point of public Internet. There’s no privacy-sensitive data in HTTP traffic to these sites, unless there’s google analytics, ads, or some other malware on that site.

1 more reply

j / k navigate · click thread line to collapse