undefined | Better HN

0 pointsshadowgovt4mo ago0 comments

Doesn't that mean that technically, any node in the network between you and your reader can mutate the contents of the blog in-transit without anyone being the wiser (up to and including arbitrary JavaScript inline injection)?

Probably a low-threat security risk for a blog.

0 comments

bsilvereagle4mo ago

Yes, hotels were injecting ads on their free WiFi - https://news.ycombinator.com/item?id=3804608

riffic4mo ago

ISPs have been known to do the same thing.

Ferret74464mo ago

Devil's advocate, but maybe ISPs should all inject ads to make a point. They make money, and anyone using HTTP gets taught a free lesson on what MITM means

1 more reply

sam_lowry_4mo ago

I'd be happy if EU outlawed this instead of outlawing encryption.

But indeed, the ability to publish on my own outweights the risk of someone modding my content.

Most of us here read their news from work laptops, where the employer and their MiTM supplier are a much bigger threat even for HTTPS websites.

shadowgovtOP4mo ago

This puts the question into my brain, which I have never thought to pursue, of whether you could offer a self-signed cert that the user has to install for HTTPS.

Their client will complain loudly until and unless they install it, but then for those who care you could offer the best of both worlds.

Almost certainly more trouble than it's worth. G'ah, and me without any free time to pursue a weekend hobby project!

dns_snek4mo ago

> for those who care you could offer the best of both worlds.

You're not really offering that because the first connection could've be intercepted.

1 more reply

bawolff4mo ago

For a blog, i think the bigger risk is pervasive surveilence - gov reads all the connections and puts you on a list if the thing you are reading has the wrong keyword in it.

j / k navigate · click thread line to collapse

0 comments

bsilvereagle4mo ago

Yes, hotels were injecting ads on their free WiFi - https://news.ycombinator.com/item?id=3804608

riffic4mo ago

ISPs have been known to do the same thing.

Ferret74464mo ago

Devil's advocate, but maybe ISPs should all inject ads to make a point. They make money, and anyone using HTTP gets taught a free lesson on what MITM means

1 more reply

sam_lowry_4mo ago

I'd be happy if EU outlawed this instead of outlawing encryption.

But indeed, the ability to publish on my own outweights the risk of someone modding my content.

Most of us here read their news from work laptops, where the employer and their MiTM supplier are a much bigger threat even for HTTPS websites.

shadowgovtOP4mo ago

This puts the question into my brain, which I have never thought to pursue, of whether you could offer a self-signed cert that the user has to install for HTTPS.

Their client will complain loudly until and unless they install it, but then for those who care you could offer the best of both worlds.

Almost certainly more trouble than it's worth. G'ah, and me without any free time to pursue a weekend hobby project!

dns_snek4mo ago

> for those who care you could offer the best of both worlds.

You're not really offering that because the first connection could've be intercepted.

1 more reply

bawolff4mo ago

For a blog, i think the bigger risk is pervasive surveilence - gov reads all the connections and puts you on a list if the thing you are reading has the wrong keyword in it.

j / k navigate · click thread line to collapse