• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Some pages of this websites forum don't use https

ShelLuser

Son of Beastie

Thanks: 1,266
Messages: 2,692

#3
I'm becoming a little weary of this sudden HTTPS adoration as of late to be honest. It's not as if the use of encryption suddenly makes things a whole lot safer per definition, nor does it imply that the usage of the regular (non-encrypted) http protocol suddenly means you're insecure (well... lol ;)).

More seriously: using HTTP doesn't automatically imply that security is at risk.
 

Maxnix

Well-Known Member

Thanks: 173
Messages: 290

#4
AFAIK, only some images or links are token from external sources that don't use HTTPS, not whole pages of the forum itself.
 

drhowarddrfine

Son of Beastie

Thanks: 821
Messages: 2,612

#5
It's not as if the use of encryption suddenly makes things a whole lot safer per definition
When you're running everything encrypted, it helps keep out man-in-the-middle attacks and low hanging fruit like anything using PHP/Wordpress and the far too many easy access things for script kiddies. If someone wants to get you, they're going to get you, but that's not most of us.
 

ShelLuser

Son of Beastie

Thanks: 1,266
Messages: 2,692

#6
When you're running everything encrypted, it helps keep out man-in-the-middle attacks
Except that it doesn't. Because faking a certificate isn't rocket science. For example, already in 2013 it got discovered that the French government used fake Google certificates to snoop in on traffic. And there are plenty of reports about rogue CA's which mistakenly (or willingly) gave out the wrong certificates, for example by not demanding that clients proof that they actually own the domain for which they wanted a certificate.

Also: you do realize that it's not exactly hard to get a client (or software product, some refuse to use a centralize certificate store) to trust a certain certificate, right?

All this pushing for encryption does is create a false sense of safety. The website data is encrypted, so everything is safe. Yet... it's not.
 

drhowarddrfine

Son of Beastie

Thanks: 821
Messages: 2,612

#7
You're talking about bad cert suppliers and not TLS or https and those suppliers were not ones any responsible site would use and I'm sure they are no longer in that business. Clients deciding to trust any one also is not a fault of ssl or certs. Not giving proof of ownership is an issue for one not using known suppliers but I'm betting your browser never trusted then anyway

On my phone so can't check your French link but as I said if someone with the means wants to get you they will no matter what you do
 

OJ

Daemon

Thanks: 253
Messages: 1,038

#8
Https is certainly a convenience and encryption a necessity for security, but note that it is the system, libraries, and software around it that gets hacked.
 

ronaldlees

Aspiring Daemon

Thanks: 260
Messages: 664

#10
Https is certainly a convenience and encryption a necessity for security, but note that it is the system, libraries, and software around it that gets hacked.
If I click on Datapanic's last url, I WILL find manufactured certs bouncing around me (but not from that site)!

Except for the certs (always assuming they're compromised on any site is the only stone-wall option) - the known encryption hacks are done on the handshake or digest protocols. The unknown ones ... maybe not!
 
Thanks: OJ
Top