History of HTTPS Usage (opens in new tab)

(jefftk.com)

61 pointswpapper1y ago26 comments

26 comments

14 comments · 4 top-level

Wowfunhappy1y ago· 5 in thread

> This allowed for an enormous amount of things, but online shopping wasn't one of them. The problem was, sending credit card numbers over HTTP opened them up to theft: anyone between you and the server could keep a copy of your card information.

In the 90s, what exactly would the attack vector have been? I don't imagine AOL would have wanted to steal people's credit cards. I find it odd that this was viewed as a concern for credit cards but not website logins.

tialaramex1y ago

People genuinely worried about this. If you go back to around the time SSL is announced, the media coverage says well, you can't really have shopping on the Internet because there's no way to secure credit card purchases. Clifford Stoll has a rant from around then in which he just plain asserts it will never happen, even though that's actually written IIRC after SSL shipped.

A few years later it's much more about whether this is really going to take off, there's no doubt people can do it, but is there any desire? There's a BBC clip on Youtube from the era when Amazon is an exciting new business, it has a lot more different books in stock than any bricks and mortar store, but it doesn't have the enormous sales volumes compared to real world book stores yet, Bezos could just be another entrepreneur with an idea that sounds good - he isn't yet incredibly rich and so he also seems much less weird.

nitwit0051y ago

While it's certainly possible the ISP could extract the data (and might be forced to by some intelligence agency), it was also possible to just listen to the data in transit. Remember that these were the days of people sending data over telephone wires.

ytch1y ago

Other than eavesdrop, the biggest advantage of HTTPS for me is to stop nasty ISP that injecting advertisement or other code in HTTP page.

3 more replies

chgs1y ago

People routinely ordered by phone, reading out the card number to the person on the far end.

2 more replies

Wowfunhappy1y ago

> it was also possible to just listen to the data in transit. Remember that these were the days of people sending data over telephone wires.

It's that easy to tap a phone line?

Mail order services will take credit card numbers over the phone verbally, right? Why was that considered safer?

sureIy1y ago· 2 in thread

The funniest thing about HTTPS is that its transition/enforcement exposed a lot of people who don’t understand why we need HTTPS everywhere, even if there are no logins (!!!)

To this day, if you open Twitter, Facebook Groups or Discord, you’ll find people complaining about Google forcing HTTPS down people’s throat.

em-bee1y ago

one of my biggest regrets is that in the early 2000s when i was contributing to a webserver project i suggested that we should not allow people to log in via http but instead enforce https for that. or rather, use https for login content and http for public content. the devs liked the idea and promptly implemented it with the result that while it now was no longer possible to log in via http the server also could not show public content over https.

curated4ever1y ago

Plenty of them here on HN too.

kalleboo1y ago· 2 in thread

[2018]

nofinator1y ago

Aha. I was surprised to see that ~30% of web pages loaded by Firefox were still not https. A 6-year-old graph would explain why!

adgjlsfhk11y ago

Apparently 10% is still unencrypted which is higher than I would have thought... https://letsencrypt.org/stats/

ViktorRay1y ago· 1 in thread

Makes me wonder what the history of HTTPS is on Hacker News. Does anyone know?

Perhaps the dang (the moderator of Hacker News) knows…

diggan1y ago

Not a definite answer by any measure, but pg started linking to https://news... instead of http://news... sometime around 11 years ago: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

Before that, all http links instead.

j / k navigate · click thread line to collapse