HTTPS - Page 7

richs · 2018-03-11, 23:14

I changed my consulting services website from http to https at clients' requests.

Nick · 2018-03-13, 12:55

Quote:

A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates.

Article: https://arstechnica.com/information-...-private-keys/

kruoli · 2018-03-13, 17:43

There is also another voice...
I would rather stay with HTTP as long as possible. Every webpage I frequently use and which has moved to HTTPS (especially Wikipedia), gave me some trouble some time afterwards and I had to work on "things" some time. On a side note, you can force Google to HTTP, but I found no way on Wikipedia. If somebody knows how to achieve that, I'll be thankful. :)

What is our problem? When logging in, that sent data might be readable for others. Why are man in the middle attacks a problem? Are you afraid of manipulated links? Everyone should be careful about that, even on HTTPS sites, because user may be malicious, too. Furthermore, I do not see the base for that in general on this forum.

As long as possible, all my own web pages will stay on HTTP only, for a ton of reasons (most of which do not apply for this forum). So I would like to ask at least to enable the option to go back to HTTP, if this site is ever going to use HTTPS.

As Nick hints at, the certificates are a huge problem of HTTPS. Our university is using a set of CAs (at least has been), student councils are using different CAs and so on. In the last few years, there were literally dozens (!) of changes required because Chrome et al. decided to mark some types of certificate "untrusted". Right now each HTTP site is marked as "not secure" by Chrome, but only subtle and only when entering something. When having a certificate that is no longer trusted by Chrome, it will freak out from one day to another and strongly discourages everyone to go on that site. Only looking at this, I would rather stay at HTTP forever.

For me personally, I see no disadvantage in keeping HTTP, only advantages. Why?

I have nothing to hide. And using HTTPS will not help me hiding as much as some might like to.
Using different credentials for each webpage is a must even if I would use HTTPS.
A man in the middle attack which was done subtle, will not harm me because I like checking links. A non-subtle attack always relies on the security of your browser, and that is usually a problem of not having things updated.
Money could be definitely spend better then on "good" certificates etc.
This forum is unlikely to be aimed at by hackers, DDoSsing is much simpler and more effective (depending of what you really want).

yoyo · 2018-03-13, 20:21

I basically don't agree. Every webpage should be https.

kruoli · 2018-03-13, 21:37

Every webpage that is using HTTPS by default should let the user choose whether to use HTTP or HTTPS. Everything else is obstructive paternalism.

retina · 2018-03-13, 22:49

If you have ever connected through an airport, hotel or cafe then you might have experienced the annoying habit some of them have to alter pages to insert ads or serve up interstitial pages. Some ISPs also do this as a way to monitor their customers and make extra revenue. Plus the problem of other users on the same network being able to read your cookies and impersonate you later. With TLS you are assured* of a direct connection to the server without interference or monitoring from third parties.

* It is not perfect of course, but it is much better than nothing.

kruoli · 2018-03-13, 23:28

Personally, I have never experienced that in Germany. But if you say so, I assume that this is problem indeed, at least in other countries. When using HTTPS, that hinders connecting to the webpage where you need to confirm that you do not do bad things with the free WiFi. That is the only altering that happens regularly in Germany that I know of. So, if you want to use a free WiFi, you first have to remove HTTPS manually from some URL to allow the router to redirect you.

Of course this special problem is only valid for the initial connection to a free network. In Germany, a lot of networks switched to secured WiFi, where you need to ask for the password/passphrase. Sometimes it is shown on a poster e.g.

Dubslow · 2018-03-13, 23:56

Quote:

Originally Posted by kruoli

Personally, I have never experienced that in Germany. But if you say so, I assume that this is problem indeed, at least in other countries.

It is a problem in every part of the world, whether or not you personally have noticed it. Where the are people, there are people trying to exploit other people, and http is approximately as secure as shouting your browsing information at a football match. And no, "nothing to hide" is not a valid argument to say that you don't need security.

Quote:

Originally Posted by kruoli

When using HTTPS, that hinders connecting to the webpage where you need to confirm that you do not do bad things with the free WiFi.

Not true. The IP address of every connection you make is still available to the router/anyone else with access to the connection.

kruoli · 2018-03-14, 09:26

Quote:

Originally Posted by Dubslow

Not true. The IP address of every connection you make is still available to the router/anyone else with access to the connection.

Maybe I have put it in wrong words. It is not about the IP address. It is about the router inserting a HTTP 301/302 into the first web page you originally requested to redirect you to a "login page" for the free WiFi. That only works for HTTP.

alpertron · 2018-04-16, 18:52

Quote:

Originally Posted by kruoli

Maybe I have put it in wrong words. It is not about the IP address. It is about the router inserting a HTTP 301/302 into the first web page you originally requested to redirect you to a "login page" for the free WiFi. That only works for HTTP.

In that case just navigate to example.com. This site is HTTP so it will be redirected to the login page.

heliosh · 2018-07-24, 12:55

"Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages."
https://blog.chromium.org/2018/05/ev...ndicators.html

2018-03-13, 17:43	#69
kruoli "Oliver" Sep 2017 Porta Westfalica, DE 7²·11 Posts	There is also another voice... I would rather stay with HTTP as long as possible. Every webpage I frequently use and which has moved to HTTPS (especially Wikipedia), gave me some trouble some time afterwards and I had to work on "things" some time. On a side note, you can force Google to HTTP, but I found no way on Wikipedia. If somebody knows how to achieve that, I'll be thankful. :) What is our problem? When logging in, that sent data might be readable for others. Why are man in the middle attacks a problem? Are you afraid of manipulated links? Everyone should be careful about that, even on HTTPS sites, because user may be malicious, too. Furthermore, I do not see the base for that in general on this forum. As long as possible, all my own web pages will stay on HTTP only, for a ton of reasons (most of which do not apply for this forum). So I would like to ask at least to enable the option to go back to HTTP, if this site is ever going to use HTTPS. As Nick hints at, the certificates are a huge problem of HTTPS. Our university is using a set of CAs (at least has been), student councils are using different CAs and so on. In the last few years, there were literally dozens (!) of changes required because Chrome et al. decided to mark some types of certificate "untrusted". Right now each HTTP site is marked as "not secure" by Chrome, but only subtle and only when entering something. When having a certificate that is no longer trusted by Chrome, it will freak out from one day to another and strongly discourages everyone to go on that site. Only looking at this, I would rather stay at HTTP forever. For me personally, I see no disadvantage in keeping HTTP, only advantages. Why? I have nothing to hide. And using HTTPS will not help me hiding as much as some might like to. Using different credentials for each webpage is a must even if I would use HTTPS. A man in the middle attack which was done subtle, will not harm me because I like checking links. A non-subtle attack always relies on the security of your browser, and that is usually a problem of not having things updated. Money could be definitely spend better then on "good" certificates etc. This forum is unlikely to be aimed at by hackers, DDoSsing is much simpler and more effective (depending of what you really want).

2018-03-13, 23:28	#73
kruoli "Oliver" Sep 2017 Porta Westfalica, DE 1033₈ Posts	Personally, I have never experienced that in Germany. But if you say so, I assume that this is problem indeed, at least in other countries. When using HTTPS, that hinders connecting to the webpage where you need to confirm that you do not do bad things with the free WiFi. That is the only altering that happens regularly in Germany that I know of. So, if you want to use a free WiFi, you first have to remove HTTPS manually from some URL to allow the router to redirect you. Of course this special problem is only valid for the initial connection to a free network. In Germany, a lot of networks switched to secured WiFi, where you need to ask for the password/passphrase. Sometimes it is shown on a poster e.g. Last fiddled with by kruoli on 2018-03-13 at 23:32 Reason: Autocorrect was not correct.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Why is https://www.mersenne.org so damn buggy?	jxsl13	Information & Answers	2	2017-02-22 03:06
https and www etc etc	Uncwilly	Forum Feedback	1	2012-03-12 20:46
https access to www.mersenne.org failed	LLL	PrimeNet	17	2008-12-26 20:34

2018-03-11, 23:14	#67
richs "Rich" Aug 2002 Benicia, California 10100011010₂ Posts	I changed my consulting services website from http to https at clients' requests.

2018-03-13, 20:21	#70
yoyo Oct 2006 Berlin, Germany 617 Posts	I basically don't agree. Every webpage should be https.

2018-03-13, 21:37	#71
kruoli "Oliver" Sep 2017 Porta Westfalica, DE 7²×11 Posts	Every webpage that is using HTTPS by default should let the user choose whether to use HTTP or HTTPS. Everything else is obstructive paternalism.

2018-03-13, 22:49	#72
retina Undefined "The unspeakable one" Jun 2006 My evil lair 14064₈ Posts	If you have ever connected through an airport, hotel or cafe then you might have experienced the annoying habit some of them have to alter pages to insert ads or serve up interstitial pages. Some ISPs also do this as a way to monitor their customers and make extra revenue. Plus the problem of other users on the same network being able to read your cookies and impersonate you later. With TLS you are assured* of a direct connection to the server without interference or monitoring from third parties. * It is not perfect of course, but it is much better than nothing.

2018-07-24, 12:55	#77
heliosh Oct 2017 ++41 5³ Posts	"Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages." https://blog.chromium.org/2018/05/ev...ndicators.html