Reddit to encrypt traffic


#1

[Read the post]


#2

Great news. I think about encryption like a public health issue because it’s a little like getting vaccinated. Site encryption protects site visitors and everybody else on the internet. The fact that it stops your ISP from peeking at what you are browsing is just a bonus.


#3

Unable to connect
Firefox can’t establish a connection to the server at boingboing.net.

Hm.


#4

Help out a dinosaur, please. I started in 8-bit computing land – 6502s and Z80s – where every bit was precious. (Kinda like Great Depression kids valuing every penny.) How does HTTPS make life better, offset against the expense of certs, extra processing, and traffic?

I totally get the importance for financial transactions, where MITM attacks would be devestating. And there’s some (mostly potential) advantage for SEO from going HTTPS, now that Google uses HTTPS as a ranking criteria. And HTTP sites can’t get full referrer data from HTTPS sites, so analytics benefits from the change. (Then again, the biggest HTTPS referrer, Google, fudges this for the benefit of AdWords customers…)

But what’s the benefit for an outfit like BB? Some listener is still going to know the domain and port you’re going to, right? (Otherwise TCP/IP wouldn’t work, yes?) Traffic increases, so that seems like more expense. Plus there’s the cost of getting and maintaining certs. And moar CPU. Redirecting your old HTTP links to HTTPS can get tricky. Do social signals (say, Facebook badges) transfer across HTTPS?

Or is it more like fucking magnets: just enjoy the magic?


#5

First, realize that most sites these days aren’t static html but instead are a mix of html and javascript or sometimes just a blob of javasacript that builds everything on the fly. You are essentially downloading and running software on your computer.

So a malicious person that gets themselves between you and BoingBoing (for example) can alter the content. If all they are doing is adding ads or changing the content, it’s annoying but relatively harmless. The danger is that they add a bunch of script to the page. This is essentially getting you to download and run their software. Since your browser is a pretty good sandbox, it probably won’t harm you (other than consume your bandwidth and CPU cycles) but it can start doing things like DDOS attacks on other servers. China recently demonstrated this capability with their great cannon when they attacked GitHub.

Edit: Here’s a better explanation from the wonderful Brian Krebs:
http://krebsonsecurity.com/2015/04/dont-be-fodder-for-chinas-great-cannon/


#6

I agree. Waiting for HTTPS to be Boinged, too!


#7

The similar reasoning for most people going from telnet to ssh. Even for public access sites. Yes, there are still a few of those around that offer telnet access for the public for relatively free.


#8

I asked about this two weeks ago. Why does https://boingboing.net not work?

@beschizza says they’re working on it!


#9

In 2011 they hoped to be there soon…


#10

This topic was automatically closed after 5 days. New replies are no longer allowed.