Referring to solutions that are under construction doesn't cut it. If you're that passionate about it, contribute to the SSL cert solution yourself instead of to the endless calls for HTTPS-only.

The 'Semantic Web' movement promises that if everyone would just publish their websites in XHTML with RDF annotations, we'd magically achieve world peace and end hunger. (I exaggerate slightly.) Should we ban non-semantic websites?

Physical snailmail and the spoken word are unencrypted. Both are frequently used to transfer data more sensitive than cat pics. If I'm surfing a website in a coffee shop, yes, there's a danger someone could intercept the data to spy on me. But they could just as well look over my shoulder, and HTTPS-everywhere isn't gonna do anything about that.

Saying that spoken word and snail mail are unencrypted and thereby implying that we should be no more worried about unencrypted digital traffic than we are about our real-world conversations is a harmful analogy, because it's evidently superficially true, but it implies that accessing your bank account over HTTP is no more dangerous than saying your credit card number in the street. That analogy would hold if every conversation that we have (or letter we send) could be recorded, filtered and searched at scale by anyone who cared enough to do so. In reality, using encrypted web communication is more analogous to real-world conversation - if somebody is particularly interested in what you, individually, are doing or saying then barring significant efforts on your behalf, they can probably get access to it but encryption, and analogously the security afforded by the difficulty of overhearing people's conversations in real life, prevents widespread, untargeted surveillance that would make, for example, automated harvesting of bank details, or the identification of people interested in a particular political movement trivial.

Note that the proposal this comment is in regard to a propasal to ban HTTP for websites of the federal government. It does not mean you have to stop offering HTTP for your own service.

I think the government can afford a couple of SSL certificates, and the privacy and authenticity improvements are well worth it when communicating with goverment institutions.

The truth is that currently, RIGHT NOW there are dozens of government agencies monitoring HTTP traffic that includes things like Bing searches (!) which millions of people do and do not realize are not private. Browsers need to be designed to aid laymen when things are insecure.

Lastly, I don't know if it is you specifically, xamuel, but there is a history[1] of government agents infiltrating influential organizations and communities in order to slow down movements, change prevailing attitudes, or discredit the members there. I think in cases like this it is important to remember how influential Hacker News is, since it feeds publications that set public perceptions about technology, like Wired and the New York Times.

[1] Operation CHAOS, Project MERRIMAC, Project RESISTANCE, Operation Mockingbird, GATEWAY, CLEAN SWEEP, UNDERPASS, and many others.

Visible affiliation.

Government agents who come to speak and identify themselves as such are obviously always welcomed to have an opinion and voice it in public.

I have replied to several sock puppet accounts on HN that were clearly foreign governments trying to influence the discussion, this is not acceptable.

I don't see that HTTPS-encrypting .gov websites provides much security advantage.

Ideally browsers should just bundle their own CA certs, and implement some form of semi-formal wot/have a sane UI for the rest. After all we trust our browsers implicitly - but why should we elevate them to do transitive trust for us?

Lets just build on x509, and get some kind of meaningful trust.

Lets say that Apple, Microsoft, Debian, Red Hat (eaxh distribute their own trusted (self-signed) CA cert. And also work with Mozilla, Google to trust (sign) their certs.

Then let trust-on-first-use or some other distributed method take care of the rest. When let's encrypt work: let distributions trust that too.

The resulting system would not be perfect - but I still think it would have a better trust model than our current mess.

As it stands, we punish people who want "half security" much more than people who go for "no security"

If any solution to this mess exists, it is going to require this UI. A fundamental problem with PKI is the trust decisions are not being made by the people that rely on that trust for protection.

What we need is pluggable trust, where it is easy indicate that I trust the shared-by-hand-only cert a friend made for chats between a few friends, a different cert for communications with my bank that I got a copy of by walking into a local branch, and some well-known CA for everything else. This is not "web of trust", though the concepts may overlap; this is about having a easy way to plug in whatever trust model you care to use and allowing different trust models for different endpoints.

The problem with the current trust model, is that it's unclear who we trust -- or put in another way, who we empower to betray us. No trust without the possibility of betrayal - no betrayal without trust.

With the current model, the path from who the user trusts (eg: Mozilla, Google and the OS vendor) is abused to extend to way too many CAs. So many, that the user can give up (ie: I use the browser and trust the green bar) -- or get a crippled experience, because the model assumes that you trust all bundled CAs. Sure, power users can in theory remove CAs from the store (and add ones, like I do for cacert.org, as I use them for my domains).

The fact that I add cacert.org reminds me of another thing: There should probably not be any CAs that can sign arbitrary subdomain.TLD. Since I add cacert.org, they can empower someone to mitm all my tls connections. But that is a separate issue - this issue already exist.

Trust decisions is all about meaningful choice -- and choosing between not using the web, and trusting Chinese (and every other) intelligence, along with various foreign corporations (they're all foreign to someone) to not enable/be tricked into mitm my email, my web browsing etc.

True - but the second that solution exists, I can't think of anything that should stick with unsecured HTTP, and this article didn't change my mind. I don't think we need a "ban", though. Just flip the way browsers show secured vs unsecured, instead of the green reassuring lock for https, that becomes the expected default and http gets a scary red plaintext indicator.

> Referring to solutions that are under construction doesn't cut it. If you're that passionate about it, contribute to the SSL cert solution yourself instead of to the endless calls for HTTPS-only

Right. In similar threads, I've seen a lot of people linking to Let's Encrypt[0]. The idea of that project is great but, at best, all we can do now is discuss how to enforce HTTPS once Let's Encrypt (or something comparable) is available. Anybody who runs a small, personal website that generates no revenue would essentially be screwed if it were enforced before then, as (and someone can correct me if I'm wrong here) there aren't really any affordable options at this point for people who don't have much money to throw towards their site.

[0] https://letsencrypt.org/

Let's Encrypt, if it goes according to plan, is only a few months away. It's not just some fairytale that we're hoping will come true someday. It could be reality very soon! It's got some pretty big names behind it, including one of the Big Three browsers, so I'd say that it has a pretty good chance of success.

And if Let's Encrypt fails, surely someone else will try something similar in the near future. Some registrars are already handing out a free certificate with every domain. I got ~10 certificates in the last year alone, half of them for free (StartSSL) and the other half for $5/yr (PositiveSSL). The momentum is there, it's irreversible. Even if we don't hit $0, we're asymptotically headed toward it.

Moreover, given the pace at which governments and other large organizations move, I have zero worry that HTTPS-only will be "enforced" before free certificates become widely available. Ditto for browser vendors. Chrome will not risk blocking non-HTTPS websites before the time is ripe, because if it did, people will just delete Chrome and move to another browser.

This whole debate is just a bunch of FUD concerning entirely unrealistic scenarios. Why are we spreading this sickening FUD instead of, say, supporting the two well-known organizations (EFF & Mozilla) that are trying to bring free SSL to everyone?

The next year I just paid someone to do it for me.

I would never recommend StartSSL to anybody.

[1] https://www.digitalocean.com/community/tutorials/how-to-set-...

[2] http://www.troyhunt.com/2013/09/the-complete-guide-to-loadin...

I have also written up how the entire process works (from generating the key to creating the CSR and getting the thing signed) for a specific (non-webserver) use case and while I don't claim my writeup is perfect, several people have had no difficulty following it in under 15 minutes, even though it was the first TLS certificate they ever installed.

Seems like your narrative is contradictory.

A young friend is learning to program, so I set up a virtual server as a place for them to upload things. It was only when I went to give them the account information that I had to stop and think about how complicated the "easy" act of uploading files via SSH is. Shell commands, directory trees, working directories, the fact that the web site is in /var/www and what that means, why index.html is special, what ssh keys and asymmetric encryption are, what a bastion host is, etc, etc.

What irks me is that the biggest HTTPS-only advocates (mostly Google employees) simply do not care about this problem. They do not address it.

That's not a good argument. "Over my shoulder" surveillance is very hard to achieve covertly and consistently and is much easier to detect than digital surveillance. It also scales pretty poorly compared to digital one, at least until we get cameras that can record in every direction with resolution enough to read computer display from a dozen meters and put them literally on every wall.

> Referring to solutions that are under construction doesn't cut it. If you're that passionate about it, contribute to the SSL cert solution yourself instead of to the endless calls for HTTPS-only.

So you want a free, easy, and maintainable solution, but you don't want to talk about solutions that are currently under development? What kind of argument is that? It's as if you specifically added that condition to preempt any discussion about Let's Encrypt. Guess what, a lot of us actually are passionate about this solution, so we're actually contributing to that project by supporting EFF and Mozilla.

The call for HTTPS-only does not ring in a vacuum. Context and timing are critical for any plan that might involve a chicken-and-egg problem. But that's not an insurmountable problem. The proposed enforcement will come into effect some time in the future (if ever). So we still have a few months, maybe a couple of years to prepare for it. That's enough time to build a free CA that can disrupt the shit out of the extortionist market.

Opposing a plan for the future just because a prerequisite does not exist right now is gratuitous negativity, especially if you're deliberately ignoring "actually existent" efforts to build that prerequisite.

Threatening one another into taking action is exactly how progress happens in a market economy. Somebody is always threatening to drive somebody else out of business. Either you disrupt or you are disrupted. And since we probably won't be getting rid of this ruthless system anytime soon, I'd rather want to see the good guys drive the bad extortionists out of business rather than the other way around.

This is just to convince general population that now it is safe again and you don't have to worry about someone snooping on you, because the communication is encrypted.

Yes, your communication with let's say Google is encrypted, but that doesn't mean Google won't share your data to the three letter organizations. And this is the simplest way, ignoring NSAs various efforts to place vulnerabilities in encrypting software.

Similarly as with phones encryption, it doesn't really help that much, for example when last time NSA ever needed physical access to your phone?

Banning, discouraging, creating a market for 'solutions to SSL' and evolving the whole thing together is a challenging proposition.

Snailmail and spoken word are much harder to snoop en masse. Apples, oranges.

I've always been okay with dropping HTTP for HTTPS-only as a long-term goal, as long as we get rid of the SSL cert racket first.

As far as MITM and identity go, could we at least modify the protocol to allow fingerprint caching, as opposed to certs, as a fallback? ...SSH does this and it is arguably more important to secure than HTTPS.

Fingerprint caching seems insecure when you think about it, yet we're all okay with maintaining our servers with this in place.

Furthermore, X.509/ASN.1 is the worst thing to happen, ever. I know this because I damn near tore my hair out trying to implement an x.509 certificate validation.

"It is really a messed up situation to have to pay to not have your website marked as dangerous"

Why do we treat ID verified certificates (i.e. it has your name on it) as somehow "better" than the former, but the browser doesn't care, it just cares that the cert was signed?

Why do certificates expire, but not require new keys? (And why does this expiration cause a scary warning akin to a self signed cert?) There is no practical reason for the expiration, save to line the pockets of the CAs.

None of this crap makes any sense, unless you view the CA system as exploitative and broken by design, in which case the answer to most of these things is "because greed".

But couldn't it be ad support for how little it costs? Just watch this 5 minute video then get a free domain certificate.

I think we need a NFP org to become a trusted auth for these types of things. No way is GoDaddy going to help us here..

My time isn't worthless, but for a personal web-site I am already "wasting" tons of time on it, and what is 5 minutes more? Better than a $60/year certificate.

StartSSL is too terrible. Let's Encrypt doesn't exist. And CloudFlare requires you to use their entire service for the free certificates.

At least not as long as your browser trusts hundreds of CA's, including shady ones such as Comodo[1] who will issue fake certs to any name (Google, Skype, etc.).

[1] https://www.schneier.com/blog/archives/2011/03/comodo_group_...

You're supposed to use out of band methods to verify the host key before approving it.

While I acknowledge it's burdensome and the process could probably be streamlined, it's not my problem.

We already have that. It's called HTTP Public Key Pinning (HPKP). But not "opposed to certs". In addition. Which is the right thing to do: Don't use it as a replacement for existing security, but add it on top of what we already have.

SSH's fingerprint system is intended to be used by people who understand the basics of it. HTTPS is intended to be used by the average web user, who will click "yes" on any prompt that comes up.

1. HTTPS does not only guarantee that data is secret, it also guarantees that data is not manipulated. And in this sense scientific data is very sensitive - it matters that you know your data is the correct data.

2. As so many do, it vastly exaggerates the performance costs of HTTPS. They are really minimal. If you really care I suggest you benchmark before you make any claims regarding your servers can't handle it.

AES instruction sets implemented in hardware are the main factor in making HTTPS viable. But my toaster (which speaks HTTP), or my ARM based router, or even my high end server iDRAC/iLO does not have a dedicated x86 or AES hardware instruction.

so the point stands, even if it's not relevant to modern laptop users.

Google is already using ChaCha20-Poly1305 inside Chrome to talk to Google servers, if your hardware doesn't support AESNI. It's been doing this since early last year, and Adam reported at that time nearly 40% of all traffic to Google was going through it (including mobile devices IIRC): https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto...

As for bulk data transfers for government-funded scientific research, data integrity for anything having to do with clinical trials or personally-identifiable information is among my highest concerns. And unless we're pumping that data across private fiber, the latency and bandwidth limits of the global Internet far outweigh the overhead caused by encryption/authentication algorithms.

(I would add that I think bulk data transfers ought to be encrypted over private/internal networks as well, but that's an argument for when I'm not on mobile.)

Not true. It's something like 30-40 cycles per byte to do AES without specialized instructions. That makes saturating 100mbit trivial, and saturating gigabit one of the easier problems. How much traffic can your toaster and router possibly be terminating?

Just as an example of the difference - I wrote a naive implementation of ChaCha20 in C with zero optimization effort and it does 5cpb out of the gate (Sandy Bridge). Just using vector-types and letting GCC/Clang vectorize brings that down to ~3cpb on Sandy Bridge - no effort. The Krovetz implementation of ChaCha20 is closer to 1.2cpb on my machine, with AES-256 doing 1.0cpb using AESNI (again, my own naive implementation). All software.

Even the most hand optimized, secure AES software implementations are still in the realm of ~15-20cpb (IIRC), three-to-four times worse than the unoptimized competitor. As linked elsewhere in this thread by me, non-scientific tests show it 3x faster in software on some mobile phones. That's a lot of extra cycles-per-byte for your battery to chew through using AES-256, and I'd guess I easily churn through a low number of gigs of HTTPS data every month..

And let's say you use 6-8GB of HTTPS data. 3 minutes of full use of a single 1GHz core per month is not a lot of battery.

> I suppose you could put the content hashes on an https page...

Aren't these the same thing?

The additional bandwidth is not really that big. Yes, you cannot cache the big news-papers etc. when everything is https, but I think most stuff people do nowadays is things that's not cache-friendly anyway (like your private e-mail, facebook etc.). If they are afraid of some people using all the bandwidth because they cannot block youtube, netflix etc., they can can divide the traffic in better ways, limiting each client.

> Restricting the use of HTTP will require changing a number of scientific analysis tools.

A non-argument. One cannot let things remain the same for ages just because of backwards compatibility.

> HTTPS is not a security improvement for the hosts.

So what?

> HTTPS is frequently implemented improperly

Non-argument. Https not being perfect doesn't mean it's useless.

I'm not necessarily saying https-everywhere is a good idea, just that these arguments adds nothing to the discussion.

So you're OK with throwing away a perfectly fine and proven internet protocol which has survived for several decades, on a vague notion you have that "it's probably not that cache-friendly anyway".

That sounds solid.

> HTTPS is not a security improvement for the hosts. So what?

Reduced performance. Increased latency. Increased complexity. Increased attack-vector size. But indeed: so what?

> HTTPS is frequently implemented improperly. Non-argument.

Yes. Who cares about the real world, anyway?

I'm awfully sorry, but I honestly don't think your post counts as a very good counter-argument to those very valid points which were raised in the reported issue.

HTTPS is not throwing away HTTP. It just protects it with TLS.

>Increased attack-vector size. But indeed: so what?

I think you meant 'decreased'. By not being able to modify the payloads or steal cookies, attackers are only left with the TLS protocol to try to mess with, which is a much smaller attack vector than being able to tweak HTTP headers and so-on.

It could have been a sideways glance at flaws in SSL/TLS that have rendered servers, data, or both compromised. Basically, a straw-man claim that plain text is actually more secure, since a flaw in the crypto stack could exist.

Actually, in the issue that is linked the real problem is that HTTP is to be discarded in the government.

It doesn't seem to me like you grasp the real world. There is a bit of a disparity between how we handle static content vs. dynamic API calls, and you demonstrate a willingness to conflate them repeatedly in this thread. It's baffling.

Don't do straw men, please. I said that it's not as big an issue as the author said it was. Nothing more, nothing less.

> Reduced performance. Increased latency. Increased complexity. Increased attack-vector size. But indeed: so what?

Not that much increased complexity in most cases. But the performance is a potentially good argument. The author should have used that instead.

> HTTPS would hide attacks from existing intrusion detection systems.

is completely wrong. Intrusion detection systems are usually checking traffic between the reverse proxies and the servers where traffic is not encrypted.

There are quite a few problems with his post and it makes it appear that he has an agenda rather that genuine concern.

Additionally, it makes website-owners beholden to the CAs (and I know they're already beholden to domain registrars but that's not really a good argument against adding an additional, arguably unnecessary cost to someone who just wants to run a hobby website.)

As I remember it, the proposal for mandatory opportunistic encryption was that it'd still be the http:// scheme with no padlock, so no expectations are set but some benefit is there.

You are not required to have a domain to have a website; just using an IP address works fine too, and - more importantly - unlike what would happen if the proposal to ban plaintext goes through, browsers don't give big scary warnings if you use an IP instead.

That said, Firefox does give a "scary warning" if you use an IP.

We had an internal dev' server. We generated a certificate for the IP address using our internal CA. We installed the internal CA on client machines+inside Firefox, Chrome and IE worked perfectly, Firefox bounced the IP address "domain" certificate even though it was valid by all metrics we could measure. It just claimed that the IP address of the host and the certificate's CN weren't matching even though they were. We tried it as the alternative name also, no dice.

We finally had to assign the machine an internal domain name using our DNS servers and redirect from the IP address just to fix Firefox's HTTPS issues with IP addresses. It is damn stupid and no other browser acts this way.

A non-answer. We have done just that for ages, which is why dual core gigahertz processors with gigabyte of ram started up in 16 bit real mode (I don't recall if they do anymore) long after nobody used 16 bit real mode.

> The additional bandwidth is not really that big.

It's actually not so much about bandwidth, it's more that if they don't have a computer at home they will have to use a computer at a library that forbids all HTTPS, making the resources unavailable.

> A non-argument. One cannot let things remain the same for ages just because of backwards compatibility.

So you volunteer to migrate and maintain all the software we're talking about here, or to pay the people that will do it over the decades to come ?

Migration doesn't come out of thin air by simply snapping fingers. Yes, the software is old. Yes, it's ugly to see. Yes, it's hard to maintain. But, if you read the article, you would no that there is no funding to maintain it, so they're doing what they can with what they have. Everyone would love to use the cleanest, leanest, UNIXest tech stack, but the realities of the world make it far more difficult than what we're used to see on HN.

That's a weak argument. If places like Libraries continue to block all HTTPS content, before long they would have blocked so much of the internet that the entire service would lack a coherent point.

Most sites in the top 50 are HTTPS only now. How long until they all are?

For example: "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code."

https://www.stunnel.org/

Why? All because some memo-writer in Washington said, "There's no such thing as insensitive web traffic!"

It's easy to make these proclamations when you have no part in fixing the fallout.

Please. Don't forget you can actually be infected with malware through plain-text connections. It's not just a privacy thing.

A million times this. I cannot believe that the current HTTPS-nazis totally fail to see something this obvious.

There's countless use-cases where plain HTTP is not only OK, but probably the simplest and best option.

Trying to ban it to address some vague possibly-maybe security-related theoretical issues seems asinine.

There's countless use-cases where plain HTTP is not only OK, but probably the simplest and best option.

That doesn't mean HTTPS everywhere is a bad idea. There definitely are use-cases where HTTP would be faster/cheaper/easier/simpler/etc, but the move to ban HTTP takes all that in to account, and argues that banning it is still a good idea because the implications for privacy are simply more important than any of those issues.

What do you think is the purpose of the NSA hardware that is deployed[1] at the Tier1 internet exchanges[2]?

[1] http://en.wikipedia.org/wiki/Room_641A

[2] http://en.wikipedia.org/wiki/Tier_1_network#List_of_tier_1_n...

Surely a move towards centralised control of the web is not good from the tracking/privacy point of view.

The short-term benefits might look nice, but this looks to me like a long-term play. The fact that this movement has been led by Google - who value tracking - would seem to suggest that their tracking is not harmed.

I'd say that's more about censorship than tracking/privacy, which is also a very important issue to consider. For things like banking (this has to be the most widely mentioned use-case for SSL) it is arguably a centralised entity we're interacting with so it somewhat makes sense, but the Internet is more than that - much more.

HTTPS does not solve this problem. SNI leaks the hostname of the requested resource, the timestamp of the request and, if not used in conjunction with an anonymizing proxy/VPN/TOR, the identity and possible location of the requesting machine. In case of static IPs even HTTPS-only allows a fair share of tracking and profile-building by ISP or other snoops.

Where are these arguments? I haven't seen any argument that acknowledges that we are losing a big part of what made the web initially great; that it was dead simple to create your own website.

I'd respect the https-only crowd if they would acknowledge this as a legitimate big loss. But instead they seem to ignore it. I think they are just ignorant to the needs of anyone but their large corporate employers.

But that's only if you want your own domain. Back then, people used Angelfire and Geocities, and so can you nowadays use Neocities (great project!) and get HTTPS without doing anything.

If self-signed certs were not looked down upon I would consider that to be a reasonable compromise.

Can you point me towards that ?

(not for arguments sake. I really want a certificate)

Here: https://www.ssls.com/comodo-ssl-certificates/positivessl.htm...

(SSLs is part of the Namecheap group, btw)

Notice how encryption which is under control of the user (mobile device encryption, cryptocurrencies, full-disk encryption, self-signed certificates) is seen as a threat, while systems like the SSL CA model where governments could more easily obtain keys if they wanted to, are not?

"Those who give up freedom for security deserve neither."

I can see good arguments for _encouraging_ HTTPS where necessary but not the blanket prohibition of HTTP.

HTTPS does not protect you from third parties profiling what sites you visit, only the specific URL paths you access (since who you connect to is still in the clear).

In a big organization, a caching HTTP proxy server would provide the caching benefit, where an HTTPS-only Internet cannot. But while a home user has a single IP, all users behind a caching HTTP proxy server effectively share the same IP (or cluster of IPs), and are mix-anonymized (unless the proxy is not configured this way).

So sure - HTTPS ensures that URL paths accessed are private. But there are cases where there is a caching benefit and the real-world privacy-loss isn't as big as you make out in those situations.

If you're bothered about organizations spying on their users, then sure, those users can use HTTPS. My argument is about the cases where users are doing things where they want the caching though.

> Using HTTP takes that choice away.

Users and websites can still have the choice of using HTTPS. If we were talking about banning HTTPS or not requiring HTTPS to be available, then you'd have a point. But we're talking about banning HTTP. That takes choice away by definition, so don't pretend this is about taking choice away from users. In reality what you're arguing for here is to foist your choices about trading cacheability for privacy onto others by taking their choices away. There's nothing wrong with this position, but let's not pretend that it is something that it isn't.

I'm certainly in favor of sites being HTTPS only when they involve directly private information. I also accept that access to anything involves a tracking trail which in aggregate is privacy-sensitive. But where there is a caching benefit (or some other benefit) of not using HTTPS, perhaps users should have the choice to do so. Maybe clients shouldn't do it by default, and maybe it's reasonable for sites to always offer HTTPS as an option. Still, "don't ban HTTP" does have a case in such scenarios.

I think part of the problem here is that HTTP has spawned a number of use cases larger than any of us can contemplate at once. This is much broader than the general "web app" or "information browsing" use cases for which the HTTPS case is really important. "Ban HTTP" means banning all of these cases. It's very difficult to convince anyone that all use cases have really been genuinely considered on neutral grounds, and much easier to make the decision first and then pretend that workarounds are enough when a new use case is presented.

Why? HTTPS proxies aren't exactly unheard of, and organizations are already rolling out their own CAs anyway.

When I'm at work and want to access my online banking securely, I don't want my organization's proxy cache to MITM me. So I choose not to use my organization's MITM CA.

When I'm at work and am working on testing my reproducible server deployment, I really want to use my organization's caching proxy server so that I can download packages at 1 or 10 Gbit instead of the much lower speed of my organization's shared Internet connection.

This is very easily done right now: I use HTTPS for my online banking, and HTTP for my distribution package downloads. Everything points at my organization's proxy server, but no other special arrangements are required.

You're telling me that my organization has to roll out its own CA, implement HTTPS MITM caching, and I have to add the CA in my test deployment, all for what? So my organization can MITM my online banking, or that my organization's MITM proxy is now an additional attack surface for my online banking?

Sure, there are technical ways round this, but it involves jumping through hoops for no privacy gain. As I've pointed out elsewhere, downloading distribution packages over HTTPS offers no real privacy benefit since what users are downloading can be inferred from download sizes anyway.

Again: all I'm saying is that there are valid use cases for the current status quo.

Internal to a business that is already MitMing everything, yes. Is that strange?

This HTTP request is sensitive? It's secret? A profile is going to be built from it? A profile of what? Bob Roberts, Ph.D., University of Studyton, downloading NASA solar data to his lab computer? Oh no, poor Dr. Roberts, now the NSA will know what he downloads...

Come on. Insensitive web traffic certainly does exist. If you think it doesn't, you must have no imagination.

If you don't care about the data you're getting back from a server being wrong, why bother requesting it in the first place? If you do care about it being wrong, HTTPS isn't a bad way to help ensure that what you're getting is what the server is giving out. It's not perfect, but nothing is.

Perhaps I'm not overly concerned with the prospect of someone altering a gif of a cat falling over because someone put ham on its face.

People can send me fake letters and post can be intercepted but it's still useful.

I'm not saying that security isn't important or that we shouldn't be securing more than we are but the argument that it's vital everything is secured is clearly false. There is traffic that I simply do not care if it is public, and the risk of it being modified (and the consequences if it is) are so low that I think the added time and stress of worrying about it would be more detrimental to me.

You're also skipping straight over the risk that it happens at all, which is a fairly important part of a risk assessment.

What makes that much more likely than someone just emailing it to me? Or tricking me into it by putting different text in the link?

If that's the argument, it reasonably applies to everything, everywhere, and we should scrap TCP alltogether.

Instead we need to implement a replacement which ensures everything everywhere at every level of every stack does crypto as well. Let's call it STCP!

Or does that suddenly sounds zealous? It just follows from your base argument.

[1] http://blog.chromium.org/2013/06/experimenting-with-quic.htm...

Finally, HTTP is a bit of a special case, because much of the time data delivered over HTTP is code that's going to be executed on a client's machine. If anything, this makes it much more important that the integrity is preserved.

Frequently repeated but still wrong. Cryptography requires one of the following: 1. Two key pairs, or 2. A shared secret.

The shared secret implies authenticity. But there are entire classes of cryptosystems based on not knowing with whom you are communicating. Crypto establishes a channel through which Alice and Bob can then negotiate authenticity. (To put it in simple terms: it's better to be phished over secure transport than to be phished over plaintext.)

For some reason, a large number of people seem to have completely skipped over this basic advantage of unauthenticated channels: you have now isolated the communication to you and your prospective phisher. This is a gain, this is an advantage, and it borders on absurd that people go to such lengths to deny this.

> Frequently repeated but still wrong.

> The shared secret implies authenticity.

Just checking: are you aware of the concept of authenticated encryption (https://en.wikipedia.org/wiki/Authenticated_encryption) and its importance?

It'd require some hard thought about what guarantees are possible and desirable, but that'd be a good thing.

jhourcle is not against https, but he/she wants the ability to use http where an exception is needed. The cost of the certificate is negligible, but the ability to keep a fragmented, heterogeneous (age wise) environment is part and parcel of the job, and NO additional funding is being provided to accomplish or operate this under https.

From reading the original and the response to other comments, it is apparent to me that jhourcle has thought this through and is only asking for an exception process that they can file for. Just as they do today for systems that are not in compliance (not related to https) for various reasons (ref: comment response).

I suppose in your case the window would be smaller using HTTPS, as the package downloaded could probably be inferred only after the download is complete. But your method would need automation anyway, so I don't think the difference in timing would really matter in practice.

But if you are in the position to automatically attack someone, why wait to see if they are downloading a fix? Why not just try to attack with known recent vulnerabilities anyway?

That said, Linux distributions don't usually use browsers to pull packages, so the point is moot.

There are a lot more funny cat picture sites than banking websites. They are fine using the same protocol they have been since 1995.

http://www.w3.org/TR/SRI/

https://wiki.whatwg.org/wiki/Link_Hashes

If you mean HTTPs is great to check if it's coming from the right server (identity/authority) then well, see how well the CA system works and how weak certificates really are (e.g. "Ron was wrong, Whit is right"). You can work around that by doing certificate pinning (see google chrome for example) and stuff like that, but in that case I'd already be better off signing the payload and sending that as part of the response.

The scientific institutes of germany worked around all the CA headaches by becoming an intermediate CA (see who signed https://www.pki.dfn.de/ ). I'd just expect more intermediate CAs popping up as a result of HTTPs only which will weaken HTTPs even more.

(And yes, I'm using https everywhere and would enable https for just about every site, except e.g. for linux iso downloads and alike)

Not for the values of "integrity" that include the possibility of intermediate tampering. You have no indication that the request received by the server is the one you sent, nor the response that you received is the one that the server sent.

Is it? Please provide a cert for ycombinator.com. Thanks.

http://www.zdnet.com/article/revenge-hack-put-5-5-million-do...

http://www.educause.edu/educause-security-breach-and-passwor...

If you're missing my point, these all of these hacked orgs had the capability to issue SSL certs.

In any case, I know it can and does happen, I just don't agree that it is "far from difficult". Having to hack an SSL provider is out of reach for the vast majority online thieves and casual snoopers.

Having been involved in all of the hacks I linked, I wouldn't describe them as anything extraordinary.

Last time I used a RapidSSL reseller, I had to authenticate my domain against a GeoTrust controlled page before the cert was issued. Is this not the case with WebNIC?

Personally, I use it on three domains, one which was done for testing purposes, and the other two because there are DNS records I would like to keep secure from manipulation. It'd be nice if TLSA/DANE was more widely supported, if only to be an additional bar against certificate forgery, but unfortunately it's not.

It'd be good if DNS servers other than Knot had decent native support for signing, but they don't in general.

The 1990s bullshit opinion that HTTPS is somehow only for 'sensitive' data is very destructive to a safe Internet.

I can easily get struck by lightning when I go outside in the rain. I can easily get eaten by mountain lions who break out of their cages when I go to the zoo.

There being a one in ten million chance of something happening doesn't dismiss all of the valid concerns the linked article raises.

The importance of HTTPS' added security is something for both the host and user to consider. The host can choose not to implement it, and the user can choose not to trust/view the data if they have even the slightest possible reason to believe their data might be modified maliciously in transit; or tracked for some sort of profiling that they want to avoid.

As it stands, I'm weary about accessing any Chinese servers without HTTPS; but I'm not at all concerned about my ISP or government MITM'ing my connections to Ars Technica for nefarious purposes. Nor do I care in the slightest if my ISP knows I read a story there about Norway planning to drop FM radio transmissions.

If every internet user were educated enough to behave in such a way, then I'd say that would be a fair suggestion, but I don't think it's reasonable to expect that the average user is capable of making such judgements.

If people are too stupid to understand taking an HTTP risk, aren't they also too stupid to risk using Gmail?

This is basically gaslighting. Network security is real and people really need it. Please refrain from shaming people for talking about the things they need.

Maybe that's acctually a good idea to consider as some sort of specification. Large file download via HTTP with some HTTPS checksum available via a single click.

You consider abortion non-sensitive and you should read legal (or whatever) information with HTTP. You are comfortable with that. Someone else is not, and would want to use HTTPS.

Interesting that this keeps coming up. I saw the same thing at the top of the comments on the Python 2/3 article here yesterday [1] That academia is full of people trying to do technical things and doing them poorly, so everyone else should hold back progress because they're barely managing as-is, with no engineering training or staffing, if you change anything it's all coming down.

Why is this a problem with Python or HTTPs and not a problem with the priorities of academic departments?

[1] https://news.ycombinator.com/item?id=9397320

But because some wonk thousands of miles away in Washington made a "HTTPS only from now on!" proclamation, all these existing projects which are working fine should be canceled? Or the staff should put in hours of unpaid overtime to learn and rewrite and test decades-old codebases?

How about you volunteer to do some of that work, and then you can criticize "priorities" and "people trying to do technical things and doing them poorly."

But we should encourage more public data not less, not add another potential step that might delay/discourage people from making data available. Making https/ssl/tls easier and easier will make this a non issue eventually.

(I had to stop myself from spamming the github issue with a link to the seven red lines video.... :) https://www.youtube.com/watch?v=BKorP55Aqvg )

> there is a statement that 'there is no such thing as insensitive web traffic' -- yet there is. [...] Forcing these transfers to go to HTTPS would cause an undue strain on limited resources that have become even more constrained over the past few years.

That HTTPS adds additional strain on resources says nothing on whether the data is sensitive or not. The entire post leaves "Non-sensitive web traffic does exist" as an assertion while going on to provide arguments around resources.

Not that "HTTPS-Only Standard" makes a particularly coherent argument in the other direction.

For example:

Assume: file.data exists and is already encrypted with enckey=K, deckey=D, algo=X, etc

Client -> https://www.example.com/file.data <-> <protocol between server/client to get deckey, algo, etc needed to decrypt>

<- transfer of file.data (from cache) without further encryption but still in the scope of the outer https. The response would carry appropriate headers to indicate where the "plain" data starts and how long it is. At this point, you can use a packet filter and see the encrypted body of the file but not the https headers or anything else.

- Client recognizes this valid https session response but takes the inner sections without further decryption. The inner section would need to be marked (as in a multi-part section), and https response headers would need to indicate which byte range of the body should be read as-is and decoded with key deckey.

Again, I am hoping for some sort of extension to https to make it cache friendly.

Advantages: File is encrypted once (or as needed if policy requires it) and caching proxies can serve the file without re-encryption per user session response.

Disadvantage: Likely need to change http/s in some way to wrap and mark plain data.

The problem is that the data is going to be encrypted per user https session and this adds a load to the server (say if you are streaming a movie or downloading a large file). With https the data has to be encrypted per user so there really is no caching on the output. Sure, the original data file can be in a cache, but what goes out (payload sans header) is the encrypted-per-user byte set. Unlike http where the payload across all users is the same.

1. Allows passive snooping (not always a problem)

2. No way of knowing whether data has been tampered with (always a problem)

Would be nice if there was a way to stop 2 (e.g. checksum sent through HTTPS), but allowed the caching benefits of 1

I can see how this would cause issues in the "presentation", i.e., how could a browser warn a user that for this session your data is not encrypted (given expectations for pages served via https have already been defaulted to 'you are at the right site + data transfers are encrypted').

This is the problem. Your organization needs to stop cargoculting IT policy. Perhaps banning HTTP will be enough pain to make that change possible.

I'd say their IT policy is not the only broken one...

This is also in a country which still doesn't teach comprehensive sex ed' in many places and for which many adults don't want kids to have access to that information.

So the question is: What is more important, allowing HTTPS proxies, or stopping governments with a CA from MitM-ing traffic (e.g. Iran, China, etc).

A nice compromise might be to inform users that they're being MitM-ed by an installed CA, but only once and subtly so.

And that's one of the core reasons I dislike HTTPS everywhere. It will lead to organizations like schools installing their own root certificates to MITM traffic, lessening the security of those things where encryption is the most important, like online banking.

Implementing web filtering is a condition of receiving federal subsidies; they take it seriously. A school with only a handful of PCs might use a host-based solution but proxy-as-the-only-way-out network design is very, very common.

That's the first time I've seen a man-in-the-middle attack described as a technique for improving security.

Even if you could convince me that it's ok to send some traffic in the clear, that wouldn't make any difference. You're just going to have to suck it up, for the benefit of the web and humanity in general.

I am starting to think this is some weird plot to make entry into any web software harder and protect those already here because the arguments for this don't make sense. I assume that caching is going to end.

As far as the fun part. Just change people's quotes, slightly. Twist words around. Make it seem like Obama really regrets the healthcare act. Or something funnier. Done well, it'd be a fantastic piece of trolling. Done really well, you could send people into a panic.

Even easier - someone just posted to CNN iReport and AAPL fell 10%. Awesome.

You asked what the benefit of encrypting news is. Well one benefit is that you restrict who can modify stories. Instead of just compromising the network, you've gotta compromise the box. There's value in making sure all data people receive comes from the source they believe it does. (Now if they decide to make trading decisions on CNN iReport or Yahoo News, well that's another issue.)

The ability for intermediaries to see what goes through is in large part why "REST" is said to aid scalability, the same point this article seems to address.

Now, both movements, "HTTPS-only" and "REST" are widely popular in dev communities. Yet I never see one acknowledge the existence of the other, which threatens it. In fact, I'd see people religiously support both, unaware of their cognitive dissonance.

Curious, I think.

This throws out all possibilities of caching. And why intermediates should differentiate more than that I cannot see. So https is in no way limiting REST.

You have not demonstrated any flaws in it, REST says communication is stateless and cacheable except for acknowledging some select minority cases when it's not the case.

Turning the minority cases into the only way of communication nullifies most of the benefits of REST, because the whole rationale of the paper is lost. I.e. intelligent shared processing and caching by intermediaries.

I'm taking no stance on what "the reality is". I'm taking no side about which side is more correct. I'm stating what both sides want, and finding it curious they don't see the contradiction.

It is true that HTTPS may impede some cacheable resources. Maybe HTTPS may be improved to allow transparent caching of _some_ content, but the security implications may be hard to predict and will require very careful implementation to not introduce new security issues with attacks on caches themselves (DNS system still has this problem AFAIK).

Instead, REST talks about a request being stateless and a response being stateless (i.e. sufficient on its own and not dependent on preceding or future communication between that client and server).

This is, again, done for the benefit of intermediaries, because intermediaries should not be forced to hold state in order to interpret REST communication. Every request, response should be sufficient on its own to be understood.

Well, that's very non-REST.

Section 5.2.2 of Fielding's thesis specifically says how per-user authenticated cannot be cached in a shared cache because they may vary per request. There are other cases mentioned too.

"All REST interactions are stateless. That is, each request contains all of the information necessary for a connector to understand the request, independent of any requests that may have preceded it. This restriction accomplishes four functions: 1) it removes any need for the connectors to retain application state between requests, thus reducing consumption of physical resources and improving scalability; 2) it allows interactions to be processed in parallel without requiring that the processing mechanism understand the interaction semantics; 3) it allows an intermediary to view and understand a request in isolation, which may be necessary when services are dynamically rearranged; and, 4) it forces all of the information that might factor into the reusability of a cached response to be present in each request."

When the paper was written, the per-user requests were supposed to be an exception, a minority case.

HTTPS will effectively make everything opaque and "per-user", and hence everything I quoted above which refers to intermediaries will no longer matter.

Restrictions in 5.1.3 ("Stateless"), 5.1.4 ("Cache"), 5.1.5 ("Uniform interface") and 5.1.6 ("Layered") would no longer apply either. All intermediaries will see is encrypted data, so shared data and functionality as explained can no longer be moved to an intermediary.

BTW, parent, way to selectively refer to a phrase in Fielding's paper while missing the point of 99% of the rest of it.

The part of 5.2.2 I was referring to is this:

If some form of user authentication is part of the request, or if the response indicates that it should not be shared, then the response is only cacheable by a non-shared cache.

This clearly indicates that returning different versions of the same resource on a per-user basis is valid REST architecture (and I was responding to the comment that Equal GET requests will often have different results based on the user doing them is very non-REST.).

While it is only one phrase, it is the only phrase that deals with user authentication and matches the discussion very well. As such I think your comment about missing 99% of his thesis is incorrect - indeed, I think choosing the correct and relevant part is precisely what "getting the point" is about.

I agree with your points about HTTPS, but that is orthogonal to the user authentication discussion in the sense that transport-layer is separate to the API design.

However, I appreciate that your points about how the transport layer affects the assumptions around API design are correct, and that going to a HTTPS-only transport mechanism may have performance impacts in many cases (especially high-volume ones).

All of REST's constraints are about encouraging cacheability and "visibility" to intermediaries. Intermediaries should in most cases be able to see which resource is being requested/returned, read the method, read the content-type and other headers.

All of this is not available during an HTTPS session. So "HTTP + a bit of HTTPs" is REST + a dose of realism.

But "HTTPs-only" is something else entirely.

HTTPS = breaking caching.

User Authentication = returning different results for per-resource queries, which is RESTful.

The exception is there for practical reasons and it doesn't satisfy REST's constraints nor benefits from REST's properties.

Either way, my point's been exhausted, so, I'll shut up now ;)

Second, HTTPS is MITMed using self-signed certificates (signed by custom CAs which are installed in browsers on the network) by proxies all the time. This is very common in corporate networks. Therefore, HTTPS currently works with proxies.

Are you sure you're not just seeing different groups of people support one or the other? I support HTTPS-only and am more or less anti-REST.

Strict, automatically-checked schemata for APIs are perfectly doable with REST, JSON or whatever Protobuf flavor. OTOH automatically-generated schemata behemoths have been created with SOAP and WS-* that I have very creative ideas about how to deal with and dispose of.

As for the easy-in-the-browser part (whether it is for tests or implementation), it was merely a side effect of reusing the HTTP spec semantics as a common-ground general purpose vocabulary. REST in itself doesn't even mandate HTTP.

Up to a point, but having a single standard that's built into all the tooling is huge. Hopefully one or other approach will "win" in the REST world and we'll start to see some convergence.

> As for the easy-in-the-browser part (whether it is for tests or implementation), it was merely a side effect of reusing the HTTP spec semantics as a common-ground general purpose vocabulary.

Intended or otherwise, it was a big advantage, and I think it was the real reason for "REST"'s success.

Perhaps he's not familiar with the story of another astronomer, Galileo, and what people thought of his data.

http://en.wikipedia.org/wiki/Galileo_Galilei

It's not always about what you think about your own data. It's also about what others think of your data... which is something beyond your control and sometimes beyond imagining.

Then there's the EFF's own backdoor, the HTTPS Everywhere plug-in. Compromise the EFF's "rules" servers, and you can redirect user traffic anywhere. Their "rules" are regular expressions which can rewrite domain names. Here's an HTTPS Everywhere rule, from their examples:

    <rule from="^http://([\w-]+\.)?dezeen\.com/"
        to="https://$1dezeen.com/" />

    <rule from="^http://(?:g-images\.|(?:ec[5x]|g-ecx)\.images-)amazon\.com/"    
    to="https://d1ge0kk1l5kms0.cloudfront.net/"/>
 

Welcome to "EFF Backdoors Everywhere".

[1] https://www.eff.org/https-everywhere/atlas/domains/amazonaws...

Yes, this is the nature of change. Not all change is good. But no good will ever be discovered without attempting change.