undefined | Better HN

0 pointsJoshTriplett11mo ago0 comments

> Why? The days of MITM boxes injecting content into HTTP traffic are basically over

The reason you don't see many MITM boxes injecting content into HTTP anymore is because of widespread HTTPS adoption and browsers taking steps to distrust HTTP, making MITM injection a near-useless tactic.

(This rhymes with the observation that some people now perceive Y2K as overhyped fear-mongering that amounted to nothing, without understanding that immense work happened behind the scenes to avert problems.)

0 comments

schoen11mo ago

https://en.wikipedia.org/wiki/Preparedness_paradox

JoshTriplettOP11mo ago

Thank you!

sam_lowry_11mo ago

How do browsers distrust HTTP, exactly?

JoshTriplettOP11mo ago

They show any site served over HTTP as explicitly not secure in the address bar (making HTTPS the "default" and HTTP the visibly dangerous option), they limit many web APIs to sites served over HTTPS ( https://developer.mozilla.org/en-US/docs/Web/Security/Secure...) , https://developer.mozilla.org/en-US/docs/Web/Security/Secure... ), they block or upgrade mixed-content by default (HTTPS sites cannot request HTTP-only resources anymore), they require HTTPS for HTTP/2 and HTTP/3, they increasingly attempt HTTPS to a site first even if linked/typed as http, they warn about downloads over http, and they're continuing to ratchet up such measures over time.

foobiekr11mo ago

If browser vendors really cared, they would disable javascript on non-https sites.

GoblinSlayer11mo ago

https://googleprojectzero.blogspot.com/2025/03/blasting-past...

fc417fc80211mo ago

> they increasingly attempt HTTPS to a site first even if linked/typed as http

And can generally be configured by the user not to downgrade to http without an explicit prompt.

Honestly I disagree with the refusal to support various APIs over http. Making the (configurable last I checked) prompt mandatory per browser session would have sufficed to push all mainstream sites to strictly https.

JoshTriplettOP11mo ago

> And can generally be configured by the user not to downgrade to http without an explicit prompt.

Absolutely, and this works quite well on the current web.

> Honestly I disagree with the refusal to support various APIs over http.

There are multiple good reasons to do so. Part of it is pushing people to HTTPS; part of it is the observation that if you allow an API over HTTP, you're allowing that API to any attacker.

1 more reply

castillar7611mo ago

They’ve been making it harder and harder to serve things over HTTP-only for a while now. Steps like marking HTTP with big “NOT SECURE” labels and trying to auto-push to HTTP have been pretty effective. (With the exception of certain contexts, I think this is a generally good trend, FWIW.)

g-b-r11mo ago

I have to change two settings to be able to see plain http things, and luckily I only need to a handful of times a year.

If I'm really curious about your plain http site I'll check it out through archive.org, and I'm definitely not going to keep visiting it frequently.

It's been easy to live with forced https for at least five years (and for at least the last ten with https first, with confirmations for plain http).

castillar7611mo ago

I was genuinely taken aback by visiting a restaurant website last night that was only served over HTTP. (Attempting to hit it with HTTPS generated a cert error because their shared provider didn't have a cert for it.) These days, I'd gotten so used to things just being over HTTPS all the time that the warnings in the browser _actually worked_ to grab my attention.

It's a restaurant that's been here with the same menu since the 1970s, and their website does absolutely nothing besides pass out information (phone number, menu, directions), so they probably put it up in 2002 and haven't changed it since. It was just a startling reminder of how ubiquitous HTTPS has gotten.

0xCMP11mo ago

If you try to open anything with just HTTP on an iOS device (e.g. "Hey, look at this thing I made and have served on the public internet! <link>") it just won't load.

This was my experience sending a link to someone who primarily uses an iPad and is non-technical. They were not going to find/open their Macbook to see the link.

j / k navigate · click thread line to collapse

0 comments

schoen11mo ago

https://en.wikipedia.org/wiki/Preparedness_paradox

JoshTriplettOP11mo ago

Thank you!

sam_lowry_11mo ago

How do browsers distrust HTTP, exactly?

JoshTriplettOP11mo ago

foobiekr11mo ago

If browser vendors really cared, they would disable javascript on non-https sites.

GoblinSlayer11mo ago

https://googleprojectzero.blogspot.com/2025/03/blasting-past...

fc417fc80211mo ago

> they increasingly attempt HTTPS to a site first even if linked/typed as http

And can generally be configured by the user not to downgrade to http without an explicit prompt.

JoshTriplettOP11mo ago

> And can generally be configured by the user not to downgrade to http without an explicit prompt.

Absolutely, and this works quite well on the current web.

> Honestly I disagree with the refusal to support various APIs over http.

There are multiple good reasons to do so. Part of it is pushing people to HTTPS; part of it is the observation that if you allow an API over HTTP, you're allowing that API to any attacker.

1 more reply

castillar7611mo ago

g-b-r11mo ago

I have to change two settings to be able to see plain http things, and luckily I only need to a handful of times a year.

If I'm really curious about your plain http site I'll check it out through archive.org, and I'm definitely not going to keep visiting it frequently.

It's been easy to live with forced https for at least five years (and for at least the last ten with https first, with confirmations for plain http).

castillar7611mo ago

0xCMP11mo ago

If you try to open anything with just HTTP on an iOS device (e.g. "Hey, look at this thing I made and have served on the public internet! <link>") it just won't load.

This was my experience sending a link to someone who primarily uses an iPad and is non-technical. They were not going to find/open their Macbook to see the link.

j / k navigate · click thread line to collapse