WingNews logo WingNews
top | item 14979238

(no title)

SnacksOnAPlane | 8 years ago

As long as neverssl.com still exists so I have some way to pop up the login page from captive wifi portals, I'm fine with everyone else going SSL.

However, I basically agree that if you're just hosting a blog with no user interaction, there's really no need for it. The threats (for example, somebody hijacks the request and returns different content) are minimal.

discuss

order

provost|8 years ago

There are ISPs that have tools to inject arbitrary code into HTTP webpages. For example, My ISP injects notification banners into my web browser sometimes.

Even if the ISP means well at the beginning, the tool can be abused (ISPs injecting tracking, or reading the tracking information so they can sell it). Attackers at coffee shops and conferences can do much worse.

bo1024|8 years ago

This is the reason I finally added SSL to my academic webpage.

lol768|8 years ago

> so I have some way to pop up the login page from captive wifi portals, I'm fine with everyone else going SSL

Isn't this the fault of those deploying the captive portal for not implementing RFC7710 and advertising a secure login URL?

qb45|8 years ago

First time I hear of RFC7710, all I see is HTTP hijacking. Does anybody support it, in particular OS vendors? I suppose some new UI or a new API for browsers would be required.

Spivak|8 years ago

Yes, but we have to work around crappy software all the time. I've used portals that only trigger on google.com

willstrafach|8 years ago

Minimal depending on location. In the USA, worst we have heard about is tracking cookies and injected notifications. In China, for example, malware injection has occurred from ISP's ad networks.

dsfyu404ed|8 years ago

> The threats (for example, somebody hijacks the request and returns different content) are minimal.

I wouldn't call injecting malware/adware/advertising minimal.

organsnyder|8 years ago

I use example.com for this purpose. I'm guessing that they'll keep listening on port 80 for quite some time.

schindlabua|8 years ago

I prefer example.org because I'm anti-capitalist and hate commerce.

tomjen3|8 years ago

I thought so too, but there was one US ISP that started injecting headers.

mijoharas|8 years ago

I had such a problem trying to figure out a site I knew that didn't use ssl yesterday for this! Thanks for the tip.

jchw|8 years ago

Your users might care when malware is injected into your page.