Professional Documents
Culture Documents
Post a Reply
View Announcement
4 KB PNG
No
>>65937038
No. Maybe to make things easier for the NSA.
>>65937043
depends on ssl and tls version
>>65937038
For a slight performance boost. You can use it for your static pages I guess
>>65937038
Yes, http is free (you see what gets send)
>>65937091
Generally thanks to response features that are only enabled over HTTPS, HTTP will be slower than correctly configured HTTPS even
for static pages nowadays
Now that we have Lets Encrypt, the only remaining reason to not use TLS has vanished.
would love if there was some way to do it in onion-service style when you can address domain by hash of public key thus knowing
domain name in advance allows you to check if cert is valid without CA signing infrastructure
>>65937271
So only https from now on. Thanks for the info.
>>65937038
>Go to public website that has info I need
>Browser security warning: certificate expired, or some other certificate related shit
>Try http
>Automatically jumps to https, so back to step 2
>Doesn't allow me to add exception
>Sysop asleep with feet on table, so will take a while
>Public website, so no need for this data to be encrypted anyway
Happens more often than it should.
>>65937043
>cracked
No, they have access to resign certs without it being evident. This isn't difficult to do if you're able to pressure a CA into giving you a
subordinate CA cert.
The whole PKI thing is foobar. It makes it a little harder for the chinks to see your passwords, but it makes it trivial for the
government(s) to monitor you. The CA's have to comply to judicial orders, like any other company. Certificate revoking is broken by
design.
>>65937043
Does NSA sell the cracks to hackers?
>>65937043
Massive if factual
>>65939192
No they just keep their tools on shitty air gapped computers that get owned either through heat distribution or physical access.
Aforementioned tools are subsequently leaked.
>>65937038
on a correctly configured webserver, https is actually faster than http.
also, many of the fancy "new" features of http only work over https.
so you have no excuse to use plaintext http.
For a while at my old university, in order to connect to the wifi, you had to sign in via a web page. The web page would show up
whenever you tried to access any other website, but it couldn't show up if you were using HTTPS.
I have no idea how the fuck that worked, but I'm guessing there are some instances of shitty legacy software not working with SSL. In
general, however, you should always encrypt everything if you don't have a specific reason not to.
Anonymous 05/14/18(Mon)20:17:56 No.65940816
>>65937056
don't they have a very limited time window to do the attack? (basically the length of the session)
>>65937038
When u want to use only one http
>>65940795
Probably HSTS.
Basically HSTS lets website owners specify that their site cannot be used if the certs and shit aren't valid.
What happens:
>Your phone tries to navigate to Google.com
>Captive portal captures your traffic and forwards you to a sign in page
>browser sees that cert does not match Google's
>HSTS prevents the page from being shown
Unless the portal website was so shit that it wasn't configured for HTTPS at all and just tried to send back HTTP.
>>65938696
HTTPS was never designed to keep the NSA from monitoring the internet.
It does keep some asshole with a SPAN port somewhere from succing up plaintext credentials, or from a skid sitting there at
starbucks sniffing everyone not using a VPN.
>>65940816
yes they try to MITM it or some autism shit. cracking it afterhand would take years. that's why they just collect data and hope to break it
when someone smarter than them figures out how (and when computers are more powerful, which *looks at intel* isn't going to
happen as fast as they think)
>>65940892
I think that's what my university's old portal was doing. My solution to that was always to use an HTTP only site to access the portal.
>>65940892
This is why alwayshttp.com exists
http://www.alwayshttp.com/
Post a Reply