undefined | Better HN

0 pointshamburglar2y ago0 comments

I’d agree with you about HTTPS providing most of the benefit that VPN advertising focuses on if I hadn’t seen repeated direct evidence that even most technical users will blithely click through HTTPS errors’ “accept the risk” bypass. It’s as if knowledgeable users think “sure, this could be a man in the middle attack, but it’s most likely just a benign cert problem, because certs are hard.” Sigh.

0 comments

noirscape2y ago

To be frank that's also because the cause for an HTTPS certificate error ranges from "malicious hijack" to "misconfigured server setup" to "I lapsed the expiry date" to "I am using a self-signed certificate".

The degree of which these should be scares is not equivalent, yet browsers will treat all of these as equivalent even though they can distinguish between them in the error page. It just results in clickthrough fatigue, where technical users just ignore the warning because it's not worthwhile to deal with even when they really should.

Plus a VPN won't protect you from a malicious hijack, it just prevents them from grabbing your IP address.

maccard2y ago

The reason the browser doesn't differentiate between them is because the end result is the same - the cett doesn't match the browsers trusted store. The battle has beenosr on self signed certs at this point (unless you're an enterprise, at which point bundle them with your image).

The difference between a misconfiguration and a compromise is intention, both should be treated as equally suspicious.

eximius2y ago

The problems with clicking past those errors are typically not due to network sniffing but with whatever crazy shit is on the page they are going to.

The only two valid usecases of big VPNs like these are

1. Very mild security increase over public wifi 2. Shifting your risk from the ISP spying to mullvad or the VPN provider spying or slightly anonymizing if mullvad rotates IPs.

(2) is a real benefit because ISPs are pretty terrible, but it's still pretty minor in the grand scheme of most people's threat models.

zarzavat2y ago

3. You live in a country where your ISP is legally mandated to record all of your browsing history and make it available to the government.

4. You live in a country where certain websites are blocked because the government doesn’t agree with them, or because those websites don’t want to deal with your country.

Kwpolska2y ago

Those countries probably block VPN services, especially the popular ones which buy all the ads.

2 more replies

digging2y ago

Yeah, I hate my ISP. I am certain they sell every bit of data they can. Ergo, I use a VPN most of the time.

thedaly2y ago

I haven't experienced an HTTPS error on a legitimate site that I would input any personal information into in years.

I couldn't imagine clicking past one of those warnings to login to my bank or even amazon.

c7DJTLrn2y ago

>if I hadn’t seen repeated direct evidence that even most technical users will blithely click through HTTPS errors’ “accept the risk” bypass

As far as I recall this is not possible on Chrome if you are MITM'd. If the cert presented doesn't match the cert in the HSTS cache, there is no option to bypass. If the server's cert is expired, then you do indeed see the option, but an expired certificate doesn't necessarily mean danger.

thayne2y ago

It is possible to bypass. Just more difficult.

j / k navigate · click thread line to collapse