Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
HTTP Considered Unethical (alexgaynor.net)
23 points by Thrymr on Oct 6, 2014 | hide | past | favorite | 5 comments


> A student should be able to browse for information on depression without their principal knowing it, a dissident should be able to research how to avoid national firewalls without their government knowing it, and anyone who damn well pleases should be able to read whatever they like without their ISP knowing it.

If you just redirect all of the http traffic this isn't entirely helpful to these people. The original request is sent in clear text and redirected.


We'd assume they'd be using HTTPS, you can't redirect HTTPS traffic without serving an invalid certificate which most browsers will warn you of. Or a forged cert, but that's harder to do.


Unfortunately HTTPS is unable to protect you in a school/office setting, or wherever you use a computer provided to you by someone else. In those cases, certificates can (and will) be forged very easily.


> "First, TLS doesn't just guarantee confidentiality, it also provides authentication and guarantees the integrity of this page. That prevents an attacker on the network from serving you bogus content, and pretending like it's from me."

But it doesn't though. If (for example) you're using Cloudflare's free SSL then the SSL termination is at their servers and theres nothing stopping the them from mangling the page between the original server and them passing it on to you.

How do you actually know if you're connecting to the server and not some terminating load balancer and the connection is unencrypted from there to the server?


You don't because that's how HTTPS is built: the client trusts whatever is sent its way as long as it's sent with a certificate that matches the domain.

Said differently, the server trusts Cloudflare to distribute the content as expected, under its own name. This is _technically_ no different than you trusting a machine to run the correct code and return the correct page, whether it's at home or at your hosting provider. You as a website owner have to trust all those components to behave correctly, and Cloudflare is just another piece of it.

Of course given the easiness with which Cloudflare can intercept the data (versus your hosting provider running some other code), the threat becomes palpable, but HTTPS can't give you anything here.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: