>There are websites that still don't run https
Holy shit how is this possible
HTTPS Everywhere f
Placebo
It's really easy to set it up, there's no reason sites shouldn't do it. Just got it set up on my personal site to see what the entire process is like. ez pz
>>52977154
That's for sites that don't default to https. OP is talking about sites that don't have https at all.
>>52977133
Wait for let's encrypt to get out of beta
>>52977154
No good if there is no HTTPS to default to
>>52977133
HTTPS is a ressource hog and it's backdoored by NSA anyway.
>>52977179
The fuck is let's encrypt?
>>52977209
Nice meme
>>52977211
A free alternative to certification. Therefore all those people whining that it costs money, can't anymore.
Why do no porn sites use https?
>>52977168
Same here, used letsencrypt and was done in a matter of minutes.
>>52977179
Letsencrypt matters for small websites. Big websites aren't staying out of https because of the $10/year it used to cost. And there are a lot of big websites that don't run https.
>>52977179
>lets encrypt
Will it still have backdoors just as HTTPS?
>yes it will
So as soon as lets encrypt launches noting will happen. Okay.
>>52977133
>mfw exhentai and nhentai dont use SSL
>You ISP know your favorite doujins
>>52977274
Can't do p2p with the existing CA structure.
>>52977269
Who is saying that HTTPS is backdoored? This feels like FUD to get people to stay on plaintext insecure HTTP.
>start managing huge website
>huge as in tons of pages
>changing all the src=http:// to src=//
>breaks a ton of images
>turns out those domains have expired ssl
>having difficulty finding who's account those domains are under.
Aggghhgghg
>>52977241
I got a free year of another service due to being a "student"(as if). The only thing that took time was waiting for verification, but let's encrypt seems to handle that much faster. I'll be switching after this year anyways.
There's just little reason not to switch already. It not only helps your customers feel secure, but it'll also hopefully encourage sites to update some of their shit to newer standards.
Also http/2 (which in practice requires TLS) is fast as fuck. So websites are not only secure, but also faster
>>52977133
I just had some leftover money on my paypal account and decided to purchased a ssl certificate for my private server
5 USD / year for a Comodo PositiveSSL certificate
I don't really get the difference from other services, except maybe that they let you have as many subdomains as you want.
There a 50$ or so difference from one certificate to another, wtf?
pic related, that placebo feel
>>52977432
There's no point in paying for certificates anymore though, since letsencrypt is now available.
>>52977133
Try implementing HTTPS from scratch and you'll be anti HTTPS from that moment on
>>52977490
Just use the client, there are several ones. Even one that's just under 200 lines
>>52977490
Why the fuck would I implement HTTPS from scratch? You never roll your own crypto.
Anti HTTPS? Are you saying you're better using plain HTTP than HTTPS? Are you fucking retarded or baiting?
>>52977133
Do you have an idea how much a yearly wildcard certificate costs? The cheapest I've seen is 200 USD, now multiply that times however many domains you have per year. Sure you can get regular ssl cert but forget encrypting anything other than your naked domain and its www.
Being a CA is essentially a license to print money.
Lets encrypt gets sponsored by facebook, mozilla and chrome. Why would big corporations like that sponsor something like this without a return?
>>52977209
This 2bh
>>52977582
PositiveSSL Multi-Domain is $30/year and allows you up to 100 domains. And there's fucking letsencrypt which is free and has no limit on amount of domains.
There's literally no reason.
>>52977460
>There's no point in paying for certificates anymore though, since letsencrypt is now available.
at first I thought "it's just a matter of time until they get flagged"
but if this is true >>52977583
>Lets encrypt gets sponsored by facebook, mozilla and chrome.
then i dont even know what to think
there must be a catch
>>52977671
selling data isnt it, the project is open source. its also run by a non profit organisation so they wont sell it either. just weird
>>52977209
retard alert
>>52977671
>Lets encrypt gets sponsored by facebook, mozilla and chrome.
>there must be a catch
The catch is that they're sponsoring this movement so they don't have to pay for it anymore. Duh.
>>52977671
There is no catch. CA situation used to simply be a scam. Asking $10+ for something that literally costs nothing to CAs was a scam.
>>52977209
> it's backdoored by NSA anyway.
[Citation needed]
>>52977582
Oh yes don't forget SNI, which isn't supported by older browsers.
>>52977723
I believe the term is rent-seeking, anon.
>>52977583
>>52977671
>Why would big corporations like that sponsor something like this without a return
HTTPS is a form of integrity and it benefits them if all web switches to it. They don't want their ad platforms used by 3rd parties hijacked by shitty ISPs and abused by bad actors.
>>52977133
need https porn videos, it has been decades waiting
>every site needs a secure connection
this is what retards think
>>52977783
This. The return is better internet security, and a great big middle finger raised to the NSA (the engineers in particular are absolutely furious about the whole thing).
Even Facebook feel that way about it - despite selling the data themselves, and providing it under warrants, the fact that all that data was also being swiped from them under the radar as well made them livid, seething. They now try very, very hard to protect it (as in, TPM1.2-signed, TRESOR-keyed, RAM-encrypted, VT-d-enclosed, hypervisors living in L3 cache, hard).
Which isn't to say I agree that there should be a front door, or with all their other stuff (like the real names policy, which is an absolute dealbreaker to me and why I refused to interview there when they tried to recruit me). But all this stuff is, in fact, in their interest.
I think it's agl at Google who's one of the big pushes for this, too.
Mozilla are the ones most behind it, and it's easy to forget that at their heart, they're fairly charitable too, despite all the bureaucracy and the strange project-killing they do from time to time.
It's also serious leverage by the browser makers (and some of the really big websites) against the CAs in the CA/B Forum. The browsers are about ready to go nuclear, and strangely enough, it's SHA-1 that's going to be the tipping point, when the first full collision is published, probably later this year if the computation goes as predicted...
>>52977898
You do realize that even if you don't care about your traffic being visible by anyone, that someone malign can inject malware into any website?
>>52977898
>Being this retarded and ignorant
>>52977133
it's fucking stupid that web browsers show warnings for self-signed HTTPS certs and not for plain HTTP
>>52977231
why did it cost money to begin with?
>>52978056
I would love if they outright disabled plain HTTP, the way chrome did with java (first manual chrome://flags, then outright 100% disabled)
Allow HTTP only on localhost.
>>52977801
I host porn sites, and we did that. Not only did we do that, we actually had at one point, the second site on the internet (after Google) to support the draft chacha20-poly1305, and one of our models (who did this on the side) was posting on the IETF list about it. (Not that anyone really noticed it, but hell, it helps.)
HTML5 video was a harder thing to adopt. It was bloody clunky early on. We tried anyway, because Flash is in many ways even worse.
The hard part is actually ad networks. It was easier for us, because we were selling actual content to actual customers who actually paid us, so we only had ads for our actual affiliates and didn't need to use third-party networks.
The sites that rely on user-uploaded content (which is to say, surprisingly often, content like ours that people have just pirated, with the watermarks filed off, but, eh, it's the internet, what can you really do except pointless whack-a-mole that's time better spent making more content for your actual customers) that a lot of people use, like that hamster one, or the hub one: they tend to use ad networks with quite dodgy ads with fairly high payback rates, but a large number of those don't support HTTPS yet so you'd get mixed content warnings or stuff wouldn't work, and they want their money.
More generally, the problem with HTTPS is ad networks. They're going to quickly find, as the Javascript APIs get increasingly locked down from access via HTTP, and more and more sites will only use it, that they really need to support it or die. Plus, you know, ad blockers.
>>52977898
Enjoy having your site and your visitors used as a springboard to launch attacks by China and the NSA, retard. You'd be amazed what you can do with packet injection. TLS is an absolute minimum, for integrity, at the very least, and for limiting mass surveillance at least to some extent.
>>52978056
From our discussions, major browsers are at least partially planning to do that - a crossed-out lock, and the deprecation of Javascript APIs (and eventually, Javascript entirely) from HTTP.
>>52977941
>>52977959
>>52978108
>being this paranoid and retarded.
>using a shit browser
>having no other forms of protection
>w-w-wha they'll see my anime
>w-w-wha the nsa will try to trick me while i view my anime
you are guys are complete paranoid idiots to think anyone cares about you specifically that much.
Why would I care if people saw what was in my xvideos packets?
>>52978149
they already sort of do that
JS sent over a HTTP source on a HTTPS website will not run, but everything is just fine when HTTP->HTTP
>>52978156
>>52978156
>"using a shit browser"
>Doesn't know that every browser gets multiple vulnerabilities per month
>Doesn't understand that after installing windows, and downloading his "non-shit browser" he can get an installer with malware in it
>Doesn't understand that any download you make can be replaced/injected with malware
Please be baiting. I hope nobody this retarded browses /g/
>>52978156
The problem with mass surveillance is nothing to do with any kind of specific targeted effect - quite the opposite.
It's about the chilling effect that being watched, even by someone who doesn't particularly care if what they're watching is all that interesting, has on us as a collective society.
From our perspective, even though we always kept our porn sites on the block lists and with the appropriate tags/interstitials so, to our best efforts, those using content blockers (parental controls, etc) wouldn't see them, we did want consenting adults to be able to choose to look at our stuff without fear of stigma or persecution. As long as it's legal - and illegal sites (discounting the shitty "extreme porn" laws and censorship here that eventually were one factor in leading us to retire our sites) are for the most part shuttered extremely quickly and have nothing whatsoever to do with the legal erotica industry - your ISP really shouldn't be able to know about your interest in (for example) kinky trap maid porn: that's between you, and the kinky trap maids.
Why are so many sites defaulting to https now? I can understand if the website involves a password or confidential information. Google search now defaults to https. If you're searching something you shouldn't be then you shouldn't be using google because they're the most likely to report your ass not some guy who's sniffing your wifi packets.
>>52978261
Privacy: Because not only google and the NSA want to know everything you do. You want to stop your ISP, or whoever is in control of your router to spy.
Security: Malware can be injected anywhere without https. Any download (think any .exe) could be replaced with anything, and you wouldn't know. Any content of any webpage can be seamlessly replaced.
>>52978261
because there is literally no reason to stay with http
>>52978083
Jews.
>>52978261
It's not because they care about you if that's what you're wondering. It's because the NSA basically made those companies their bitch, and now the companies are all ganging up to beat up the bully. Imagine if you lost millions of dollars in selling data because you got hacked and your buyer took it all for free, you would be furious.
Also, many anons have mentioned (see >>52978323) that the companies also want to protect their own sites from being hit with malware, as that interferes with business.
>>52978323
If my ISP cared what I was doing I'd be in prison. The only time they care is when they are required by law so basically when they receive a DMCA notice.
So you're saying https protects against man in the middle attacks? I didn't know this. I figured if someone had that much control they could fake an authentication of a certificate they sent you.
>>52977295
>>52977295
this.
sauce or gtfo
>>52978261
>Google search now defaults to https. If you're searching something you shouldn't be then you shouldn't be using google because they're the most likely to report your ass not some guy who's sniffing your wifi packets.
Huh? Do you want your cookies stolen by the sniffing guy and your online wallet emptied? It isn't all about tin-foil hat security, it is the better technology in general and enables new protocols like HTTP/2 and other optimizations. Encryption should be default from the start of internet but it couldn't be because it was computationally very heavy back in the day, but today it is built in your CPU with AES-NI so no excuses.
>>52977671
>there must be a catch
the catch is that for ssl to be useful everyone should manually check and install certificates of domains they trust instead of trusting root CA's and blindly inheriting trust for every domain under the sun.
just because its padlocked people assume the host is trustworthy which is not the case, only the channel is.
at least when certificates cost money there was someone to blame when your data got pinched, free certificates means they wont take responsibility for any fuckups, its just a signature.
(omfg its free) yeah so fuck it doesn't cost anything it should be fucking free
but the ca system is retarded level laziness
>>52977295
>HTTPS is backdoored by the gubmint
>better stick with plaintext so everyone has the freedums to snoop on my data
>>52978169
Would you mind printing out your personal PC's web history and giving it to your boss? That along with any user/passwords you might send over the wire?
I used to run websites with self-signed certificates. so there's no point in doing that anymore?
>>52978261
Using SSL encryption is best practice.
Think of HTTP as if someone were to ship you personal postmail in a clear envelop that anyone could read. Where HTTPS would be postmail shipped underlock with only enough info to get to your front door.
>>52978829
https://letsencrypt.org/
https://github.com/letsencrypt/letsencrypt
https://github.com/letsencrypt/boulder
nope, not really
only downside of letsencrypt is that you have to re-renew your certificate every three months or so, but that isn't too bad considering that you can automate it
>>52978169
ISPs throttle streaming video, https would prevent that.
See for example
https://www.eff.org/deeplinks/2016/01/eff-confirms-t-mobiles-bingeon-optimization-just-throttling-applies
>>52978661
> your online wallet emptied
My what? I specifically said I understand if the data being transferred is a password or similar. I'm talking about going typing "shitting dick nipples" in to my search bar and getting sent to a https page. There's no reason for any financial information to be transferred for that. Even with encryption transferring that information for the fun of it is bad security practice. I make sure https is on when entering payment information. Like I said it makes sense. If it becomes illegal to search for shitting dick nipples I won't search for it on google.
>>52978913
No it won't. Your ISP can easily see whatever site you visit even on HTTPS.
>>52978323
>Privacy
It doesn't stop spying. Most metadata isn't protected by TLS at all.
>Security
TLS does not replace signatures and your DNS requests aren't over TLS.
some people care about those of us that can't run firefox on our antique computers : /
>>52978913
TLS/SSL doesn't prevent throttling - HTTPS is layer 7. ISP can still capture you're layer 3 traffic, m8.
>>52978829
>>52978865
There are various alternatives to the official client
alternatives:
Free HTTPS certificates without having to trust the letsencrypt cli with sudo/root
https://github.com/diafygi/letsencrypt-nosudo
Let's Encrypt client and ACME library written in Go (WIP)
https://github.com/xenolf/lego
A tiny script to issue and renew TLS certs from Let's Encrypt (~200 line python script)
https://github.com/diafygi/acme-tiny/
Simple Let's Encrypt client. (crontab friendly)
https://github.com/kuba/simp_le
And this...
A Let's Encrypt web client
https://gethttpsforfree.com/
>>52978661
>Do you want your cookies stolen by the sniffing guy and your online wallet emptied? It isn't all about tin-foil hat security
how's that not tin-foil? who exactly but state actors are able to MitM your connection?
>>52978967
>ISP can easily
No, they had to configure it manually which is great work for ISP, given there are billions of sites. Overwhelming majority of throttling is done auto by deep packet inspecting routers.
>>52978973
DNS requests not being over TLS doesn't matter other than for privacy reasons. If someone were to send a fake DNS record, then the user would get a certificate warning since the MITM still wouldn't be able to have a correct certificate.
Also
>https has some minor issues
>SO LET'S USE PLAINTEXT ALTOGETHER XDXD
Fucking retard
It's literally useless for most information sites. It only adds extra maintenance, costs performance and might break your site if you want to run third party ads that don't support it.
>>52978995
Yeah but that misses the point. The issue in question is throttling a specific type of applicatipn load which is video, not throttling just by bandwidth usage.
>>52978323
>>52978967
HTTPS should still be used because it ensures that packet sniffers can't read what's going on over the network
>>52979056
Fucking read the thread ignorant piece of shit. Stop spreading misinformation.
>>52979023
Practically anyone with a junior high education and google at their fingertips.
>>52978953
You are logged in to google while using google search and that cookies linked to gmail which the sniffer can use it to get your paypal account for example. Obviously won't apply if you are not logged in to google.
>>52979056
HTTPS will destroy the internet. We need to keep HTTP because it works
>>52979089
It's literally useless for most information sites. It only adds extra maintenance, costs performance and might break your site if you want to run third party ads that don't support it.
>>52979055
some minor issues?
it's doing it totally wrong, you would want encryption on the IP layer, not the application layer.
too bad NSA sabotaged IPSec.
>>52979106
If you really believe using TLS is even fucking close to plaintext, you are completely retarded.
>>52979123
Kill yourself, HTTP for life. Do not support NSA technology like encryption
>>52979090
not everyone is retarded and uses public wifi.
TAO's QUANTUM attack is not something non-state actors can pull off.
>>52978973
No but with TLS/SSL you can make sure the content is from the correct server.
Without encryption, why would anyone trust the download link or the md5sum?
Both can be altered by a third party.
>make a website for the world to see
>ENCRYPT IT HELP NSA NSA
>enable https on 4chan
>images load slow as shit
why
>>52979169
Hashes are for spergs. I always install without checking it
>>52979179
2/10, a bit too obvious though
>>52979169
>No but with TLS/SSL you can make sure the content is from the correct server.
you cannot. only a handful of certificates are pinned. for the rest any CA can sign any site and CAs have horrible security records.
>there are people arguing against https
>/g/
>current_year
Fucking free pastebin
>>52977209
>what is HSTS
>what is libressl
>>52977133
My personal website doesn't have HTTPS. It doesn't need HTTPS.
>>52979209
chunk.io
sprunge.us
0x0.st
>HTTPS isn't perfect
>so lets use plaintext
Kill yourself NSA agent
>>52978108
ACTUALly
>>52979211
>what is libressl
retard pls. libressl is totally a resource hog, because they removed all the optimizations.
>>52979205
That's because https is not in the interest of website owners. Only in the interest of the users.
>>52979188
its getting routed through the nsa
>>52979205
>2016
>people think HTTPS actually does something
https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/
>>52979188
Jewt did a shit job on implementing HTTPS like everything else he did
>>52979169
>Without encryption, why would anyone trust the download link or the md5sum?
because signatures, retard.
no linux distro besides RHEL offers https repos.
>>52979102
https plus new compression tech like brotli would save a significant amount of bandwidth and money for just information sites with high volume. Extra maintenance and costs performance parts are problems of 10 years ago, 3rd party ad networks will adapt if they want to survive.
>>52979305
>weak dh key
ok
>>52979305
>NSA can break https
>so I should make myself vulnerable to every scriptkiddie out there
nice logic you got there faggot
>>52979333
You're safer with HTTP. Third party sites shouldn't have to adapt if they don't want to
>>52979333
>every script kiddie can MitM my connection
nice logic you got there faggot
>>52979331
All the magic is gone when they can simply have the keys handed to them by request.
http://www.cnet.com/news/feds-put-heat-on-web-firms-for-master-encryption-keys/
Its far more dangerous for people to use something that is compromised thinking its safe than to just move on to a new technology instead.
>>52979096
Yeah but whether I'm logged in to google or not it directs to https. Still a site shouldn't be requesting cookies capable of logging me in to an email account when I'm using the homepage. That's bad design and they're putting a bandaid over it by forcing https.
>select images of ice cream
I WANT TO CHOOSE PICTURE OF CACTUS.
>>52979326
>3rd party ad networks will adapt if they want to survive
I only care about making my website profitable to be honest.
Currently my website runs on love so https really is low on the priority list. I heard ad revenue can drop by 2/3th.
>>52979305
https is not all about nsa blocking or security. Nearly every protocol improvement done on http like http/2 practically requires using it now.
>>52979517
Google promotes https using sites higher on their search so more sites using it for higher user visits hence potential revenue, in return more ad networks are switching to it. With flash dead and adblocking tech on rise, ad networks will be forced renew their backend in very near future and adapt tech like html5 and tls.
>>52979655
Google uses some kind of bidding system where the highest bidder gets to show his ads.
For https websites all bidders with http ads get removed from the bidding pool. And that leaves only a fraction of the bidders for ad space.
https is bullshit, DV is cheap and consumers won't know the difference.
>>52979655
>Nearly every protocol improvement done on http like http/2 practically requires using it now.
http/2 can be unencrypted.
>>52979792
No browser supports using unencrypted http/2 to my knowledge, the practically part.
>>52979706
I'm sure that's the case but why wouldn't the ad networks want to be in https pools as well? They have to stay competative
>>52979792
>Doesn't understand the meaning of practically
No implementation supports or will support unencrypted http/2
How tight does your tinfoil hat need to be that you require https on 4chan?
>trusting CAs
>not using self signed certificate to be sure nobody gets you'rea're private keys
L O L
O
L
>>52979911
Holy shit you have absolutely no idea how certificates work. Leave /g/
>>52979890
4chan is actually one of the few sites that could use https, with all the sensitive posts being made here.
>>52979836
but PRACTICALLY TLS is unencrypted. NSA owns the CAs.
http://www.ietf.org/mail-archive/web/httpbisa/current/msg14288.html
>>52979911
Good thing CAs sign public keys.
>>52980006
>what are pins
>what is certificate transparency
>>52979977
Yeah, wouldn't want the NSA stealing your pepes
>>52980048
>Good thing CAs sign public keys.
>he actually believes this
jesus christ how fucking dump are you
>>52980006
Another retard. A CA can't decrypt data. The CA can at most impersonate, but never decrypt.
what the fuck is HTTPS guise
>>52980062
I hope this is bait, because you have absolutely no idea how public key encryption works.
>>52978083
work tends to cost money
>>52980083
It encrypts the traffic between the server and the users computer.
So everyone can see that you are browsing 4chans, but not which pages of 4chan and the password of your 4chan gold account.
>>52980122
thank you kindly anon
you worth that nice dubs
>>52980122
And equally as important, it can't modify the data in transit without you knowing.
>>52978083
SSL means someone has to vouch for your website.
The process is automated.
Servers cost money to run.
Apart from that it's just 90% markup. Anyone can run their own Certificate Authority, really.
>>52978083
Because you need to pay the people who verify that the person asking for a certificate for anon.xyz is the actual owner of anon.xyz
Let's encrypt tries to do this automatically. I suspect it compares the IP of the server which is requesting the cert with the IP that is pointed to by the domain names mentioned in the cert request.
>>52980063
>what is MitM
>>52980236
Something you can't do on a massive scale
>>52980176
CAs did't manually verify either, except for EV certificates which costed $200+
It was a scam.
>>52980284
you can't do on a massive scale without people noticing, that's what I meant
>>52980176
>>52980284
https://letsencrypt.org/2015/10/29/phishing-and-malware.html
>>52980303
still underestimating the NSA after PRISM?
>phoronix only provides https to premium members. Unless you use a plugin.
>Please don't enable noscript or block ads pls.
https://www.phoronix.com/scan.php?page=news_item&px=HTTPS-Default-For-Premium
>>52980329
SSL Observatory would instantly detect MitM on a massive scale. Users alone would detect it, as it is instantly detected in the shit countries that actually did MitM
>>52978108
is this heaven, don't wake me up, just give me your website url already
>>52980376
that assumes NSA would need to issue new certs
>>52980694
They have to crack private keys in the other case, not related to trustworthiness of CAs.
>>52980050
Or the fact that you support certain political groups, may be attending certain rallies, and anything identifiable that can be pinned down to you for a potential hatefacts conviction
>>52981263
https doesn't do a damn thing for keeping your posts anonymous on this board. Anyone who is watching your traffic has the time you made the post, the ip you sent it from, the ip you're sending it to, and the size of the post you sent. All they have to do is access the public website and pic the posts made during a certain time using the time stamps. Then they just check which posts have the size that relates to the sum of the size of the packets you sent to the web site. Then they know which posts are yours.
>>52981449
;_;
>>52981263
The NSA does not give a fuck that you snuck out of your cuckshed to go to a Sanders rally.
>>52979911
>you'rea're
WHAT THE FUCK DID I JUST READ
>>52977133
My website doesn't accept any input from the user. What would it need HTTPS for?
>>52981693
Fucking read the thread
>>52977133
>implying I need https on a static website where no user data is ever exchanged whatsoever
>>52977233
They are all owned by the same jew who doesn't give a fuck about your privacy.
You shouldn't visit those sites.
>>52977274
>not using tor to read sadpandas
>>52981737
Fucking retard, someone malicious can modify your static website, inject malware, etc
Leave /g/ now
>>52981704
Literally none of it matters.
>>52981737
b-b-b-but then people at my isp will know I watched surpriseiusetheinternetforwatchingporn.webm on your website
>>52981263
why the fuck would they go through all of that bullshit when they could simply just send the national guard/police to your irrelevant political bullshit rally if they don't like it
do you really think they give a fuck about one irrelevant faggot posting on a board famed for useless slacktivism that never accomplishes anything? they WANT you to post here
>>52981775
>Injecting malware in a website doesn't matter
Kill yourself retard
>>52981745
Http://rule34.xxx is owned by the same guy as xvideos?
>>52981757
And how exactly could they do that?
>>52981791
>implying implementing ssl would keep the user safe
Full delusional. Not my fault if you're a fucking retard.
>>52981672
UPF 2017, nigga
we gotta drive these niggers out
>>52981815
>>52981820
Retards without SSL it is impossible for the user to know if somebody is MitM'ing your website
>>52981872
>SSL can't be MitMed
Phew laddy.
>>52981872
Can second this. Without ssl, the end user is at my complete control. I can edit what he/she sees and can even act as a proxy server between them and the website and edit the data that flows through.
>>52981932
User*
>>52981872
>>52981932
why do you think SSL would prevent this? it would just make the browser throw an alert most users will click through anyway
and why the fuck would some faggot bother MitMing a niche site when there are much more lucrative targets actually worth the effort?
>>52977241
Besides having to update every 3 months (I believe) and no wildcard option encrypt is pretty nice.
>>52977209
>HTTPS is a ressource hog
Are you browsing the web on your Gameboy?
>>52981932
>MitMing your own family
Faggot.
>>52979102
>if you want to run third party ads
>>52981805
yes
>>52982289
What pieces of information did you use to corroborate this? Is it under the whois information? Is there a big list somewhere?
how can I hide my DNS requests?
>>52978565
That's the whole point of TLS mate: integrity is just a side effect of doing things right.
Look up Diffie-Hellman key exchange if you want to know how we can manage to encrypt shit even when the communication channel is insecure.
>>52977209
>>52982326
Many ways: Try a VPN
>>52978219
>after installing windows
>after installing
>windows
>>52977231
lets encrypt doesn't work the way normal certs work and I don't think it's a good alternative for the many, many ecommerce sites out there
With startcom, wosign and letsencrypt being free there's really no excuse.
It takes like half an hour to learn how to configure a server to get A rating in ssllabs test. A few hours if you want to dig deeper and learn what all those different options and ciphers do.
>>52982934
It's still in beta, and it's a good alternative for many many ecommerce sites out there who would rather not be spending so much money on dumbass certs that still require tinkering to operate properly.
>>52983461
Also not a fan of letsencrypt. They should encourage admins to learn, not cater to their laziness.
>>52977133
unrelated question about HTTPS:
how much of it the trafic is encrypted? are the headers/get requests also encrypted? so that if i use a remote server as DNS server, the local network administrater won't be able to track my where abouts?
i was visiting naughty websites on school network, and now i am paranoid :(
>>52984015
None of the IPs are encrypted for obvious reasons.
>>52983497
I think it's a good thing
The people behind LetsEncrypt are trying to make TLS/HTTPS so easy that it's accessible to everyone
>>52984015
Everything is encrypted except the ip address. So someone can see you're on a porn website, and that you downloaded 500mb from it, but not at all what you're downloading from it.
>>52986032
Unless they submit a legal warrant for information from the host, who will have in their logs what exactly you requested.
But that isn't likely.
>>52977133
Muh performance.
Seriously. A lot of hosters would need to upgrade their hardware.
>>52982934
What do you mean? They even have their certs cross signed for compatibility. It is as good as any cert.
>>52983489
>>52983497
Letsencrypt are at least as good as normal CAs. They validate every 3 months that you are really are the real owner, by making the server associated with the DNS records respond specially to the CA, instead the usual year long CAs
>>52986175
HTTP/2 is faster than plain old HTTP
HTTPS encryption takes a negligible amount of CPU cycles. Source: I run all my websites with HTTPS in cheap ass 1 core 1GB RAM VPS
There is even a free one called letsencrypt if you dont need any subdomains
>>52986383
>https://community.letsencrypt.org/t/subdomains-certificates-are-limited-by-parent-domain/7148
>You can add up to 100 sub-domains on one cert though if needed.
>>52986354
>HTTPS encryption takes a negligible amount of CPU cycles.
It does, but it adds up if you get a few thousand requests per second.
Daily reminder that attacker only needs one cooperating CA to MITM an HTTPS connection to any site. The protocol was designed to be weak and you can be sure it does not protect you.
>>52986429
wow, good meme.
>>52986415
1% of your server resources is still your 1%, be it 1% of 1req/sec or 1% of 100000req/sec
What I mean is the website only needs to make his infrastructure 1% faster. If you have 100 servers, you won't mind buying a 101th server.
>>52986445
How is this a meme.
>>52978083
Because being a root CA enables you to be a jew about it. On the other hand maintaining CA's to remain secure actually costs money, but it was really freaking expensive.
>>52977233
It's more costly to do load balancing behind https.
>>52977432
Is your site commercial? Because you could already have free certs from startssl for non-commercial sites.
>>52987769
a comodo positivessl cert costs like $7/year
I wouldn't call that "freaking expensive".
If you need multiple subdomains, a 3 subdomain multi cert can go upto $20.
sites generally don't have a need for many subdomains. if your website uses more than 3 subdomains and you are not a bloghosting/cloudflare, you are probably doing something wrong
Now, EV certs are "freaking expensive" and for good reason. one off websites are not supposed to be running on EV certs.. they are supposed to be something special.
> Free certificate still not a thing
> Installing certs can be a pain
> Using HTTPS everywhere is just dumb
The last point is which rustled my jimmies.
I was happily running a Squid proxy for my family, thus reducing our overall network load, speeding up sites, etc. It was awesome.
Now? Even fucking Facebook is HTTPS.
What the fuck?
Same for my company, I cannot proxy shit, unless I do this shady SSL swaperoo thing. But it's not that simple, you have to prepare each client for it.
tl;dr: HTTPS "everywhere" movement is bullshit and just plain stupid.
>>52988686
And what if you have plenty of sites?
Oh right, just buy 10x7$ certificates PER YEAR.
I would be happy to run HTTPS sites, just give me 1$/yr certs or something like that. Installation should be also easier.
For example "cheapssl.." certifications (its a site that sells this 7$ cert for example) - cannot be installed to Apache 1:1, you have to mess around. And the instructions on the site are a mess, so you have to Google, and end up wasting plenty of hours.
tl;dr: its a pain
>>52977209
Proof?
>>52986429
>MITM
Only when that CA is actually in the trust store of your application.
>Weak by design
That is not true. TLS (formerly SSL) is a good way to guarantee integrity, as well as confidentiality over untrusted networks (e.g. the Internet).
Sadly, the Internet is full of domains that either don't use it, or implement it very weakly, up to a point where it has no added value. I'm talking about weak protocols and cipher suites, which is just a matter of updating your libraries, applications and restarting your services.
People should pay more attention to which domains they connect to and whether they should trust them with whatever traffic they send and receive from them. Know your connection status, meaning your protocols, cipher suites and certificates. Also briefly skim through the privacy policies and such to know how they (ab)use your data, and who you entitle to access your data.
>>52987792
>It's more costly to do load balancing behind https.
HAproxy?
>>52988803
>Even fucking Facebook is HTTPS.
>Even an authenticated connection is over https
>Free certs not a thing
>what is let's encrypt
Dude, just stop posting.
