@Shamar
a.k.a. list of websites who don't mind if some user-hostile ISP injects ads into them

@Wolf480pl

Exactly.

Because we are able to balance such risk with others. And being over HTTP has a series of advantages that are more important to our visitors.

Follow

@Shamar supporting both HTTP and HTTPS lets your visitors choose what's more important to them, and those who connect over HTTP will not suffer from the disadvantages of HTTPS, despite your server also supporting it.

@Wolf480pl @Shamar

Why should website still support http? It should be redirected to https by default...

@danyspin97 @Shamar

Old mobile phones don't support HTTPS.
Some user-hostile hotspots block HTTPS.
Sites with satellite internet connection have very high latency, and want to cache responses locally.

@danyspin97 @Shamar
by sites I mean local networks, and by locally I mean on some local proxy

@Wolf480pl @Shamar

Yea, how many devices are we talking about? 0.1%, 1% or 10% of the global ones?

@danyspin97 @Wolf480pl

There are several reasons NOT to use #HTTPS when it's not needed:

- meyerweb.com/eric/thoughts/201
- medium.com/berkman-klein-cente
- energy efficiency
- bandwidth
- ...
- to cure groupthink among techbro...

And CAs are not that safe worldwide.

#HTTPS is not a silver bullet, there are trade offs.

@danyspin97 @Wolf480pl

Oh I forgot heartbleed.com it should have been the first of the list!

Everybody assume there are no bugs now exactly as they were assuming there were no bug before HeartBleed!

Techbro never learn humility.

@Shamar
said the humble person who thinks he knows better than anyone else what words like "Hacker", "Kernel", "Mathematics", "Technology", "Stupid" and "Arbitrary Code Execution vulnerability" mean, to the point of forcing his own definitions onto everyone else.

Thanks @Wolf480pl, I hoped for this objection!

There is nothing more humble than challenging authority through simple arguments rooted on facts.
Because you are rising facts ABOVE you.

#Humility is from Latin Humus, earth.

#Earth is dirty, not polite.
It's low level, down, insignificant.
But it grows life.

Being #humble does NOT mean being modest. As Sherlock Holmes once said, modesty and arrogance are equivalent waste of time.

Yet not trusting your own code IS humble. And I don't.

@Shamar yet you recommend it to others over LibreSSL

@Shamar
also, while your redefinitions of certain words may be rooted in facts, they have branched of long way from the facts, through many assumptions and fact interpretations.

@Shamar Also, you don't seem to be raising facts above you. I was under the impression that we were supposed to adopt your definitions of those words because you say so, not because there are facts indicating these are the right definitions.

@Wolf480pl

I welcome objections.

You did a few.
Some were correct, some were not.

You should remember that I have always listened carefully, trying to understand your insights and explaining mine.

Also, it worth noting that I don't want (and I cannot) impose anything to anyone. I just PROPOSE my insights.

If they have any strength, it's only because of their own correctness.

@Shamar I welcome your openness to objections, and disagreeing with you is surprisingly fun.

>If they have any strength, it's only because of their own correctness.

Or because you repeated them enough times.

@Shamar I was refering to the situation where you told someone looking for a crypto library to use part of Jehanne instead of LibreSSL. It seemed very much like "I doubt everyone else's code, but not my code".

@Wolf480pl

You mean here mastodon.social/@Shamar/101037

@angristan was looking for a simple implementation of AES and I suggested #9front one. As you know, 9front's libsec is coded in Ken C dialect.

So I linked the code I ported to C99 for Jehanne. But that code is not mine, and I didn't intend to claim any merit for it.

Now I actually trust 9front's code A LOT.
But I wasn't comparing it to LibreSSL.

I was arguing that "don't roll your own crypto" shouldn't be taken seriously.

@Shamar Yeah, I mean there.
Still, you may've made a mistake when porting the code to C99 and Jehanne. Similar to how Debian developers made a mistake when patching OpenSSL to avoid a compiler warning. The Debian's mistake meant all keys generated with that version of OpenSSL had very little randomness in them, and could be easily broken.

@Wolf480pl

Yes, it's possible.

But it wasn't important in that case.

Also, I refuse to accept that a software X cannot be hacked because it's too important to get right.

I'm a big boy. I can take the risk.
So is who I replied to.

I assume people I talk with are as intelligent as I am until they prove otherwise (in both direction).

Suggesting that code was not an act of arrogance but an attempt to help.

Anyway this is irrelevant: who doesn't take #bugs into account lack #humility.

@Shamar
Yeah.
And he who appears not to take bug into accounts, appears to lack humility.

@Wolf480pl

Do you care about how you appear?

I don't.
I can't please them anyway.

@Shamar
Sometimes I do.
Sometimes I don't.
It's hard to decide.

@danyspin97 @Shamar

I don't give a shit how many there are.

I have one such device. My friend has another one. Therefore, we have enough of a reason for OUR sites to also support HTTP.

Also, how many gamers use Linux? 1%? 0.1%? Is this enough of a reason to say that nobody should ever make their games run on Linux?

Then, how many gamers use OpenBSD? 0.001% ? Does that mean anyone making a game for OpenBSD is doing sth wrong?

@danyspin97 @Shamar

Besides, redirecting from HTTP to HTTPS is a flawed idea.

The browsers should always try HTTPS first, and only if it doesn't work, try HTTP.

If they MITM your first connection, they can downgrade you to HTTP in both approaches.

If there's HSTS, the you type link w/o scheme, and you get MITMed on _second_ connection, you're protected in both approaches.

The approach w/o redirect saves a round-trip and increases support for older devices.

@Wolf480pl @danyspin97 @Shamar Actually not a bad idea, but as you say it does not increase security and may only impact the performance positively.

And browsers can't introduce that now as it would break many, many websites. (Notice some even still serve different content over HTTP vs HTTPS.)

@Wolf480pl @danyspin97 @Shamar So in short: If we already had a #HTTPSOnly world, this would be possible. (But then we likely would not have needed that.) Currently it is not…

@rugk @Wolf480pl @danyspin97

Forcing everything over #HTTPS would increase digital divide. Please guys keep in mind than the world is big, complex, variegate... never assume you know it all.

@Shamar @danyspin97 @Wolf480pl @rugk forcing everything over https would increase the centralization unless there alternatives to let's encrypt pop up. but that still doesn't secure javascript's execution model. probably webasm is our only way to do that.

@jeff @Shamar @danyspin97 @Wolf480pl centralisation is not actually caused by https, but by #CAs. Obviously as it is currently many (small) sites use #LetsEncrypt and are thus a little dependent on it/centralized. However, any CA could step up and implement the #ACME standard to get a LE alternative,

Don't know what you mean with this comment about #JavaScript and #WebAssembly.

@rugk @Wolf480pl @danyspin97 @Shamar right, the REAL problem is the lack of trust agility in the TLS CA trust model. javascript's lack of a sane execution model is a security nightmare, effectively all it takes is to own a single file on a popular js CDN and you've got the equivalent of a RCE in every web page that uses it. hopefully web assembler will fix the mistakes of the past by forcing a sane execution model onto people who utilize it.

@jeff @Wolf480pl @danyspin97 @Shamar The thing you talk about, i.e. CDNs and trusting them has nothing to do with JS or WebAssembly. It's just the website owner who decides where to load that from, and obviously you can also load WebAssembly from a CDN.
(also CSS etc.)

#SubresourceIntegrity (#SRI) is a solution for that.

@rugk @jeff @danyspin97 @Wolf480pl

About #CA, have you ever tried to open a #CertificationAuthority?

lobste.rs/s/e4n3ya/let_s_encry

Widespread #HTTPS adoption strengthens #centralization and it ensures that each user interaction reach the server for better #surveillance / #marketing: without #TLS a #HTTP proxy could drastically reduce the amout of traffic that would reach the server.

#HTTP is a #decentralized system. #HTTPS is not.

@Shamar @jeff @danyspin97 @Wolf480pl Obviously it's not easy. (and it is not supposed to be!) That would be bad.

However, e.g. existing CAs (and there are many…) could just adopt ACME to try not to loose to many customers, but it seems they are still afraif of offering free certs and think this business model will survive.

@Shamar @Wolf480pl @jeff @rugk

It still can be done, even if it is really expensive. I would suggest doing it, instead of suggesting an old and insecure protocol as http.

@jeff @Shamar @danyspin97 @rugk
>webasm
>secure

LMAO
AFAIK webasm only makes it easier to do rowhammer, spectre, and the like. How'd that be more secure?

@Wolf480pl @rugk @danyspin97 @Shamar iirc one of the first demos for all of those were in javascript.

@Wolf480pl @jeff @Shamar @danyspin97 @rugk
There is nothing more secure than static websites.

I don't get this "go on our website so it can download an application that runs locally in your browser" hype. It somehow completely defies the whole use of an website.

Why not just start an application in the first place? People are so hyped over this shit, they came up with technologies like electron. Local allocations executed by browsers in a box WTF

@Vamp898 @jeff @danyspin97 @rugk

It depends on the threat model, as @Wolf480pl uses to say.

If your static website contains informations for a protest against your government, #HTTPS would be a good idea.
#JavaScript or #WebAssembly would not.

But I share your pain about #hype driven #technology.

@Shamar @Vamp898 @jeff @danyspin97 @Wolf480pl HTTPS is always a good idea. If you don't use HTTPS, you do not even need to worry about CDNs or so injecting stuff… every stupid airporn/restuarant/goverment/whatever will do.

@rugk @Vamp898 @jeff @danyspin97 @Wolf480pl

But the users know the risk.

And if they don't there's nothing you can do to make them safe. They would add a certificate exception anyway.

Culture is a precondition of security.

@Shamar @Vamp898 @jeff @danyspin97 @Wolf480pl Users certainly do _not_ know it (ask anybody to explain what HTTPS means…), but as for the "click trough"/"bypass" issue we have #HSTS. No clicktrough possible, problem solved.

@rugk @Vamp898 @jeff @danyspin97 @Wolf480pl

And they remain vulnerable and unaware of the undetectable #JavaScript attacks I talked before.

Worse they keep trusting the people who build their browsers.

I prefer them to be knowingly unsafe than unknowingly unsafe because they trust the wrong people.

rain-1.github.io/in-browser-lo

bugzilla.mozilla.org/show_bug.

dev.to/shamar/i-have-been-bann

@Shamar @Vamp898 @jeff @danyspin97 @Wolf480pl Could you please refrain from mixing these issues?

HTTPS has nothing to do with the #JavaScript things you talk about. These are completely separate issues, completely different layers… Just totally unrelated.

Obviously there is not one technology that solves all the problems.

@rugk @Vamp898 @jeff @danyspin97 @Wolf480pl

The blind execution of #JavaScript in the #browser and #HTTPS absolutism have ONE important aspect in common: they are fostered (even economically) by the same organisations.

#Technology is #Politics.

Check the #WHATWG members, the #Mozilla incomes and the #LetsEncrypt's sponsors.
You will find the same organisations over and over.
Notably philanthropic billionaires! ;)

@Shamar @Wolf480pl @jeff @Vamp898 @rugk

Yea, mozilla and LetsEncrypt sponsors technology such as https. I'm glad they offer security by default for non tech users.

Javascript is a completely different matter from https, and you can have https while disabling javascript. The truth is that the wen rely so much on javascrit that you cannot entirely disable it without breaking you internet experience.

Still I don't see how sites that use javascript (without malicious code or intent) are related to centralization and spying. I get that's it isn't secure, but using it is not a bad thing by itself.
Show more

@Shamar @Wolf480pl @danyspin97 Yeah,old devices are already an issue. However, most sites already force HTTPS and sites like Twitter and so on seem to be able to handle old devices quite well, so the won't lock out users. (obviously they also don't want this.)

@Shamar @Wolf480pl @rugk

Yea, but assume you must offer the most security you can, and enabling http on your site means that you're opening a door to the connection. And you're doing it for unaware people, that's the problem in my opinion.

@Wolf480pl @danyspin97 @Shamar And most people don't even know that PlayStation has always used some sort of Linux or BSD type system. Most people don't realize that ChromeOS is actually a fucked-up version of Gentoo. MacOS used to be BSD based until around Darwin and is now unrecognizable. Even a Jailbroken iPhone uses .deb packages. Not having "AAA" games compared to Windows/Xbox is nothing more than your typical evil Micro$oft plot, as it has ALWAYS been. We need more Godot and Urho3D games.

@TheOuterLinux @danyspin97 @Shamar
LMAO that's not what this discussion was about, it was about HTTP vs HTTPS, but... fine?

My counterargument:
I don't want AAA games.
They're shit.

I want more games like Faster Than Light, SpaceChem, etc. And turns out only indie developers are capable of making such games.
Fortunately, both FTL and SpaceChem work on Linux, but I'd love it if more indie game developers made Linux versions of their games.

@Wolf480pl @alcinnz @TheOuterLinux

I don't dislike AAA at all.

Yea some of them are shit but there are some titles which will remain in history and in my heart too.

The last of Us, Assassin's Creed II, Oblivion, Fallout and many many others...

I like indie games as well, but that's not a reason to dislike AAA.

It's also true that AAA don't support Linux at the moment, but we (as community) and working to make the platform appetible for AAA publishers.

@danyspin97 @alcinnz @TheOuterLinux
Well, I'm weird because for me, 2 indie games is way too much and I don't have time to play them, let alone playing any AAA games in addition to them.

Sign in to participate in the conversation
niu.moe

We are a cute and loving international community O(≧▽≦)O !