top | item 12285912

(no title)

ashray | 9 years ago

I agree with you 100%. What I don't get is the tradeoff that happens in this case for sites that do not necessarily need to be secure by design (what about a news site that has no login/etc or a blog?). Should all information on the web be encrypted by default?

Should all those sites not benefit from the speed improvements that HTTP/2 offers? It seems unusual to couple HTTP/2 with TLS, again, it's not the spec that does this but the vendors who are doing this.

The bigwigs of the industry will throw tons of developer resources at converting everything to TLS (haven't they already for the most part?) and then deploying HTTP/2. They already throw tons of money at being the fastest out there.

I find it interesting (worrying?) that while a spec does not specifically enforce a requirement, large browser vendors have enforced it and created an imperative for pretty much everyone to comply if they want the benefits of the new protocol.

discuss

danudey|9 years ago

There are a surprising number of ISPs that will happily inject content into users' data streams - we've had to go HTTPS with our apps to prevent this on several occasions.

Who's to say it won't be ads next? Who's to say they won't be serving exploits to clients? One lazy ISP trying to make a quick buck could serve untrustworthy ads to millions of people and have it show up on other sites, making it difficult initially to determine the source of the exploit, and preventing browsers' 'untrustworthy site' warnings from protecting users.

The same thing happened years ago with RBLs, where ISPs would return fake DNS results for sites which didn't exist, breaking RBL lookups completely and severely hampering spam detection for any users using those DNS servers. Worse yet, some of them prevent you from accessing other DNS servers directly, making it impossible to avoid their breakage.

If there's one thing we've learned in the last ten years it's that we can't trust ISPs to stay in their roles as providers of connectivity and services; they all see the potential for more money and never seem to grasp the downsides until it's too late.

mikeash|9 years ago

Should J Random Hacker be able to alter your news feed to feed you fake information?

I think one reason they insist on TLS is because the need for privacy and integrity is a lot bigger than most people realize, and historically server folks have not reliably made the right choice.

ashray|9 years ago

No, of course not. What would be the economic incentive towards carrying out a sufficiently complex MITM attack on a blog or a newsfeed?

In my experience the times that I've had users complain about "injected" information or weird ads, it's usually come from malware that resides ON their system. There's no MITM required for this. The injection happens client side through a browser plugin or some other resource that gets loaded up along with the page. TLS wouldn't fix this in any way as far as I am aware.

mholt|9 years ago

> what about a news site that has no login/etc or a blog?

HTTPS. It's not just about privacy. You want people changing the content of your articles and injecting ads or malicious scripts for your visitors? As the owner of the site, you have a responsibility to protect them and protect yourself from liabilities.

Are you using the transport layer? Then you need Transport Layer Security.

> Should all those sites not benefit from the speed improvements that HTTP/2 offers?

So, nope. Not until they can guarantee integrity and authentication.

witty_username|9 years ago

> Should all information on the web be encrypted by default? Yes. There is little cost to doing so.