undefined | Better HN

0 pointsseanp2k22y ago0 comments

This —- I really don’t care if my blog with no user registration or comments gets accessed over HTTP/1.1 without an SSL cert. Further, I find the way Chrome handles HSTS pretty gross, as some of us actually tinker with stuff that REALLY doesn’t need encryption, like little dev boards and projects running locally. Chrome makes those exceedingly difficult to use, thus the need for extremely convoluted workarounds like https://github.com/ip2k/I-Dont-Care-About-HSTS-For-Localhost (it’s my repo).

0 comments

3 comments · 1 top-level

bruce3434342y ago· 2 in thread

I do care. I don't want to have my name attached to any advertisements that shady airport routers may insert into the html for instance. TLS is a very good thing and we should have more of it, not less. Sorry that your unupgradable software comes from an era where security was not important.

rollcat2y ago

> Sorry that your unupgradable software comes from an era where security was not important.

TenFourFox[1] continues to be maintained through community effort, and receives regular security fixes/backports. The problem is not software (although the project desperately lacks manpower), but the 20yro single-core CPU that literally sweats to push the crypto (let alone the CSS&JS).

Don't get me wrong. The relentless push for TLS is good, and I'm not arguing to take a step back - that would be insane. The change I'm asking for is, rather than doing [2] in your nginx.conf, do [3]. It doesn't change anything at all for modern browsers (when you hit that path, you're already at the mercy of an intercepting proxy), but makes your site more accessible for my ancient junk ;)

[1]: https://github.com/classilla/tenfourfox

[2]:

    return 301 https://$host$request_uri;

[3]:

    if ($http_upgrade_insecure_requests = "1") {
        return 301 https://$host$request_uri;
    }

obscurette2y ago

People don't care because they haven't seen what "advertisements from shady airport routers" even means. This has never been a real thing in most of Europe for example. I didn't care either until I traveled to US and had to check the homepage of my then employer. The experience can be compared today if you visit a ad-heavy shady news site with Ublock Origin on at first, then off.

j / k navigate · click thread line to collapse