undefined | Better HN

0 pointssam_lowry_10mo ago0 comments

Why? The days of MITM boxes injecting content into HTTP traffic are basically over, and frankly they never were a thing in my part of the world.

I see no other reason to serve content over HTTPS.

0 comments

JoshTriplett10mo ago

> Why? The days of MITM boxes injecting content into HTTP traffic are basically over

The reason you don't see many MITM boxes injecting content into HTTP anymore is because of widespread HTTPS adoption and browsers taking steps to distrust HTTP, making MITM injection a near-useless tactic.

(This rhymes with the observation that some people now perceive Y2K as overhyped fear-mongering that amounted to nothing, without understanding that immense work happened behind the scenes to avert problems.)

schoen10mo ago

https://en.wikipedia.org/wiki/Preparedness_paradox

JoshTriplett10mo ago

Thank you!

sam_lowry_OP10mo ago

How do browsers distrust HTTP, exactly?

JoshTriplett10mo ago

They show any site served over HTTP as explicitly not secure in the address bar (making HTTPS the "default" and HTTP the visibly dangerous option), they limit many web APIs to sites served over HTTPS ( https://developer.mozilla.org/en-US/docs/Web/Security/Secure...) , https://developer.mozilla.org/en-US/docs/Web/Security/Secure... ), they block or upgrade mixed-content by default (HTTPS sites cannot request HTTP-only resources anymore), they require HTTPS for HTTP/2 and HTTP/3, they increasingly attempt HTTPS to a site first even if linked/typed as http, they warn about downloads over http, and they're continuing to ratchet up such measures over time.

2 more replies

castillar7610mo ago

They’ve been making it harder and harder to serve things over HTTP-only for a while now. Steps like marking HTTP with big “NOT SECURE” labels and trying to auto-push to HTTP have been pretty effective. (With the exception of certain contexts, I think this is a generally good trend, FWIW.)

1 more reply

0xCMP10mo ago

If you try to open anything with just HTTP on an iOS device (e.g. "Hey, look at this thing I made and have served on the public internet! <link>") it just won't load.

This was my experience sending a link to someone who primarily uses an iPad and is non-technical. They were not going to find/open their Macbook to see the link.

g-b-r10mo ago

You see no reason for privacy, ok

j / k navigate · click thread line to collapse

0 comments

JoshTriplett10mo ago

> Why? The days of MITM boxes injecting content into HTTP traffic are basically over

schoen10mo ago

https://en.wikipedia.org/wiki/Preparedness_paradox

JoshTriplett10mo ago

Thank you!

sam_lowry_OP10mo ago

How do browsers distrust HTTP, exactly?

JoshTriplett10mo ago

2 more replies

castillar7610mo ago

1 more reply

0xCMP10mo ago

If you try to open anything with just HTTP on an iOS device (e.g. "Hey, look at this thing I made and have served on the public internet! <link>") it just won't load.

This was my experience sending a link to someone who primarily uses an iPad and is non-technical. They were not going to find/open their Macbook to see the link.

g-b-r10mo ago

You see no reason for privacy, ok

j / k navigate · click thread line to collapse