Reply to Consider Disabling HTTPS Auto Redirects by @tdarb

One thing this article misses is the fact that webpages are delivered over the Web to Web browsers.

The vast majority of browsers are application runtime environments. Serving pages to users’ browsers creates a software distribution platform. Serving pages in cleartext is a way to give permission to users’ ISPs, network administrators, and governments to serve their malware instead, under your name, whether or not your page includes any scripts of your own.

People can’t always choose their networks, service providers, or governments. They aren’t always equipped to deal with content injection and page alteration.

This isn’t a “fear-based tactic”. It’s an acknowledgement of our reality: networks are hostile. There are no robust measures to stop an intermediary from altering unencrypted traffic, yet there are strong incentives for all able parties to do so. That makes malware injection a perfectly reasonable concern. Moreover: multiple ISPs, including Comcast and Vodafone, have been caught injecting JavaScript apps into unencrypted pages. Governments are no stranger to content injection either.

If you want to serve in cleartext, pick a protocol that’s not part of an application delivery platform. Gopher is a popular option.

#POSSE note from https://seirdy.one/notes/2022/08/03/on-enforcing-https/

Follow

@Seirdy

My main point was not to _force_ redirects. Overall, having HTTPS is a good thing. The problem creeps up for anyone on older hardware wanting to visit sites. Let them take the risk if they are okay with it. I believe that is a better and more accessible option instead of shutting them out completely.

@tdarb Update: I was browsing my own site which took me to your “Consider disabling HTTPS auto redirects” article again. I navigated to the donation link at the bottom. It took me to an unencrypted HTTP page with payment information. I had to manually edit the URL to HTTPS so I could know the payment info was legit. This was not my first time visiting that page, but it was the first time I noticed the lack of TLS on it.

Though even with an HTTP-HTTPS re-direct in place just for that page, it’d be trivial to intercept the re-direct and act as a malicious TLS-terminating proxy. Or to just edit the donation link destination on an unencrypted page to point to any other interceptable page.

Personally, my approach would be to only list payment info on an HSTS pre-loaded domain (ideally with DNS HTTPS/SVCB records too since I find the idea of shipping a giant list of domains with a UA to be an icky hack) to side-step that issue, at least until “global HTTPS-first” becomes the default behavior in the vast majority of browsers.

@Seirdy Valid points. I will most likely redirect that page to a donation platform directly (skip over crypto entirely) - avoids all those pitfalls

@tdarb @Seirdy For how long are we meant to support old hardware? Since 20 years is too soon to cut support maybe 30, 50 years is long enough?

Maybe you don’t care about SEO, but a business sure does.

TLS certificates convey trustworthiness. The appearance of which is just as important as its actuality.

Security is more important than performance, period. Unless you’re operating a web server that needs to serve thousands of requests per second, the performance gain is irrelevant.

@dusnm @tdarb You can run TLS 1.3 ChaCha-POLY1305 on 90s-era hardware reasonably well, using Crypto Ancienne

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.