Board

/g/ - Technology ▼ Settings Home

Return Catalog Bottom Refresh

Post a Reply

View Announcement

Anonymous 05/14/18(Mon)14:50:14 No.65937038

Is there ever a reason to use http over https?

4 KB PNG

Anonymous 05/14/18(Mon)14:50:54 No.65937043

No

Https has already been cracked by NSA

Anonymous 05/14/18(Mon)14:50:59 No.65937047

>>65937038
No. Maybe to make things easier for the NSA.

Anonymous 05/14/18(Mon)14:51:49 No.65937056

>>65937043
depends on ssl and tls version

Anonymous 05/14/18(Mon)14:54:12 No.65937091

>>65937038
For a slight performance boost. You can use it for your static pages I guess

Anonymous 05/14/18(Mon)15:07:19 No.65937249

>>65937038
Yes, http is free (you see what gets send)

Anonymous 05/14/18(Mon)15:09:23 No.65937271

>>65937091
Generally thanks to response features that are only enabled over HTTPS, HTTP will be slower than correctly configured HTTPS even
for static pages nowadays

Anonymous 05/14/18(Mon)15:13:48 No.65937330

Now that we have Lets Encrypt, the only remaining reason to not use TLS has vanished.

Anonymous 05/14/18(Mon)15:16:28 No.65937374

>>65937038
http is comfier

Anonymous 05/14/18(Mon)15:17:52 No.65937401

would love if there was some way to do it in onion-service style when you can address domain by hash of public key thus knowing
domain name in advance allows you to check if cert is valid without CA signing infrastructure

Anonymous 05/14/18(Mon)15:20:43 No.65937444

It can be useful during certain testing scenarios.

Anonymous 05/14/18(Mon)15:23:19 No.65937478

>>65937271
So only https from now on. Thanks for the info.

Anonymous 05/14/18(Mon)15:34:34 No.65937614

>>65937038
>Go to public website that has info I need
>Browser security warning: certificate expired, or some other certificate related shit
>Try http
>Automatically jumps to https, so back to step 2
>Doesn't allow me to add exception
>Sysop asleep with feet on table, so will take a while
>Public website, so no need for this data to be encrypted anyway
Happens more often than it should.

Anonymous 05/14/18(Mon)16:55:59 No.65938580

>>65937043
>cracked
No, they have access to resign certs without it being evident. This isn't difficult to do if you're able to pressure a CA into giving you a
subordinate CA cert.

Anonymous 05/14/18(Mon)17:04:56 No.65938696

The whole PKI thing is foobar. It makes it a little harder for the chinks to see your passwords, but it makes it trivial for the
government(s) to monitor you. The CA's have to comply to judicial orders, like any other company. Certificate revoking is broken by
design.

Anonymous 05/14/18(Mon)17:40:51 No.65939192

>>65937043
Does NSA sell the cracks to hackers?

Anonymous 05/14/18(Mon)17:41:58 No.65939212

>>65937043
Massive if factual

Anonymous 05/14/18(Mon)17:57:10 No.65939405

>>65939192
No they just keep their tools on shitty air gapped computers that get owned either through heat distribution or physical access.
Aforementioned tools are subsequently leaked.

Anonymous 05/14/18(Mon)18:16:54 No.65939628

>>65937038
on a correctly configured webserver, https is actually faster than http.
also, many of the fancy "new" features of http only work over https.
so you have no excuse to use plaintext http.

Anonymous 05/14/18(Mon)20:15:46 No.65940795

Yes... kind of.

For a while at my old university, in order to connect to the wifi, you had to sign in via a web page. The web page would show up
whenever you tried to access any other website, but it couldn't show up if you were using HTTPS.

I have no idea how the fuck that worked, but I'm guessing there are some instances of shitty legacy software not working with SSL. In
general, however, you should always encrypt everything if you don't have a specific reason not to.
Anonymous 05/14/18(Mon)20:17:56 No.65940816

>>65937056
don't they have a very limited time window to do the attack? (basically the length of the session)

Anonymous 05/14/18(Mon)20:20:34 No.65940843

>>65937038
When u want to use only one http

Anonymous 05/14/18(Mon)20:25:41 No.65940892

>>65940795
Probably HSTS.
Basically HSTS lets website owners specify that their site cannot be used if the certs and shit aren't valid.

What happens:
>Your phone tries to navigate to Google.com
>Captive portal captures your traffic and forwards you to a sign in page
>browser sees that cert does not match Google's
>HSTS prevents the page from being shown

Unless the portal website was so shit that it wasn't configured for HTTPS at all and just tried to send back HTTP.

Anonymous 05/14/18(Mon)20:28:37 No.65940925

>>65938696
HTTPS was never designed to keep the NSA from monitoring the internet.

It does keep some asshole with a SPAN port somewhere from succing up plaintext credentials, or from a skid sitting there at
starbucks sniffing everyone not using a VPN.

Anonymous 05/14/18(Mon)20:31:05 No.65940951

>>65940816
yes they try to MITM it or some autism shit. cracking it afterhand would take years. that's why they just collect data and hope to break it
when someone smarter than them figures out how (and when computers are more powerful, which *looks at intel* isn't going to
happen as fast as they think)

Anonymous 05/14/18(Mon)20:31:38 No.65940954

>>65940892

I think that's what my university's old portal was doing. My solution to that was always to use an HTTP only site to access the portal.

Anonymous 05/14/18(Mon)20:34:20 No.65940978

>>65940892
This is why alwayshttp.com exists

http://www.alwayshttp.com/

Post a Reply

Return Catalog Top Refresh

[Disable Mobile View / Use Desktop Site]

About • Feedbac k • Legal • Contac t