a.k.a. list of websites who don't mind if some user-hostile ISP injects ads into them
There are several reasons NOT to use #HTTPS when it's not needed:
- energy efficiency
- to cure groupthink among techbro...
And CAs are not that safe worldwide.
#HTTPS is not a silver bullet, there are trade offs.
said the humble person who thinks he knows better than anyone else what words like "Hacker", "Kernel", "Mathematics", "Technology", "Stupid" and "Arbitrary Code Execution vulnerability" mean, to the point of forcing his own definitions onto everyone else.
Thanks @Wolf480pl, I hoped for this objection!
There is nothing more humble than challenging authority through simple arguments rooted on facts.
Because you are rising facts ABOVE you.
#Humility is from Latin Humus, earth.
#Earth is dirty, not polite.
It's low level, down, insignificant.
But it grows life.
Being #humble does NOT mean being modest. As Sherlock Holmes once said, modesty and arrogance are equivalent waste of time.
Yet not trusting your own code IS humble. And I don't.
@Shamar yet you recommend it to others over LibreSSL
also, while your redefinitions of certain words may be rooted in facts, they have branched of long way from the facts, through many assumptions and fact interpretations.
@Shamar Also, you don't seem to be raising facts above you. I was under the impression that we were supposed to adopt your definitions of those words because you say so, not because there are facts indicating these are the right definitions.
I welcome objections.
You did a few.
Some were correct, some were not.
You should remember that I have always listened carefully, trying to understand your insights and explaining mine.
Also, it worth noting that I don't want (and I cannot) impose anything to anyone. I just PROPOSE my insights.
If they have any strength, it's only because of their own correctness.
@Shamar I welcome your openness to objections, and disagreeing with you is surprisingly fun.
>If they have any strength, it's only because of their own correctness.
Or because you repeated them enough times.
Can you make me see an example?
@Shamar I was refering to the situation where you told someone looking for a crypto library to use part of Jehanne instead of LibreSSL. It seemed very much like "I doubt everyone else's code, but not my code".
You mean here https://mastodon.social/@Shamar/101037789398501417
So I linked the code I ported to C99 for Jehanne. But that code is not mine, and I didn't intend to claim any merit for it.
Now I actually trust 9front's code A LOT.
But I wasn't comparing it to LibreSSL.
I was arguing that "don't roll your own crypto" shouldn't be taken seriously.
@Shamar Yeah, I mean there.
Still, you may've made a mistake when porting the code to C99 and Jehanne. Similar to how Debian developers made a mistake when patching OpenSSL to avoid a compiler warning. The Debian's mistake meant all keys generated with that version of OpenSSL had very little randomness in them, and could be easily broken.
Yes, it's possible.
But it wasn't important in that case.
Also, I refuse to accept that a software X cannot be hacked because it's too important to get right.
I'm a big boy. I can take the risk.
So is who I replied to.
I assume people I talk with are as intelligent as I am until they prove otherwise (in both direction).
Suggesting that code was not an act of arrogance but an attempt to help.
And he who appears not to take bug into accounts, appears to lack humility.
Do you care about how you appear?
I can't please them anyway.
Sometimes I do.
Sometimes I don't.
It's hard to decide.
I don't give a shit how many there are.
I have one such device. My friend has another one. Therefore, we have enough of a reason for OUR sites to also support HTTP.
Also, how many gamers use Linux? 1%? 0.1%? Is this enough of a reason to say that nobody should ever make their games run on Linux?
Then, how many gamers use OpenBSD? 0.001% ? Does that mean anyone making a game for OpenBSD is doing sth wrong?
Besides, redirecting from HTTP to HTTPS is a flawed idea.
The browsers should always try HTTPS first, and only if it doesn't work, try HTTP.
If they MITM your first connection, they can downgrade you to HTTP in both approaches.
If there's HSTS, the you type link w/o scheme, and you get MITMed on _second_ connection, you're protected in both approaches.
The approach w/o redirect saves a round-trip and increases support for older devices.
@jeff @Shamar @danyspin97 @Wolf480pl centralisation is not actually caused by https, but by #CAs. Obviously as it is currently many (small) sites use #LetsEncrypt and are thus a little dependent on it/centralized. However, any CA could step up and implement the #ACME standard to get a LE alternative,
@jeff @Wolf480pl @danyspin97 @Shamar The thing you talk about, i.e. CDNs and trusting them has nothing to do with JS or WebAssembly. It's just the website owner who decides where to load that from, and obviously you can also load WebAssembly from a CDN.
(also CSS etc.)
Widespread #HTTPS adoption strengthens #centralization and it ensures that each user interaction reach the server for better #surveillance / #marketing: without #TLS a #HTTP proxy could drastically reduce the amout of traffic that would reach the server.
However, e.g. existing CAs (and there are many…) could just adopt ACME to try not to loose to many customers, but it seems they are still afraif of offering free certs and think this business model will survive.
I don't get this "go on our website so it can download an application that runs locally in your browser" hype. It somehow completely defies the whole use of an website.
Why not just start an application in the first place? People are so hyped over this shit, they came up with technologies like electron. Local allocations executed by browsers in a box WTF
Worse they keep trusting the people who build their browsers.
I prefer them to be knowingly unsafe than unknowingly unsafe because they trust the wrong people.
Obviously there is not one technology that solves all the problems.
@Wolf480pl @danyspin97 @Shamar And most people don't even know that PlayStation has always used some sort of Linux or BSD type system. Most people don't realize that ChromeOS is actually a fucked-up version of Gentoo. MacOS used to be BSD based until around Darwin and is now unrecognizable. Even a Jailbroken iPhone uses .deb packages. Not having "AAA" games compared to Windows/Xbox is nothing more than your typical evil Micro$oft plot, as it has ALWAYS been. We need more Godot and Urho3D games.
I don't want AAA games.
I want more games like Faster Than Light, SpaceChem, etc. And turns out only indie developers are capable of making such games.
Fortunately, both FTL and SpaceChem work on Linux, but I'd love it if more indie game developers made Linux versions of their games.
We are a cute and loving international community Ｏ(≧▽≦)Ｏ !