No one can force me to have a secure website!!!!

Significant parts of the site require JavaScript. If you have it turned off and something doesn't work, that's probably why!

flash

3,933 posts

Original Poster

joined 13 years ago

3 hours ago #21131

This thread is about a video originally posted by reemo in the good videos thread. I wanted to respond to it but going in in-depth response in a general dumping grounds thread doesn't really work and can even be considered as disruptive to the topic (lol). But this topic isn't a meta commentary on my gripes with general topics, that one will come later.

I'm pretty sure this video already crossed my path sometime last week but I decided not to watch it for one reason or another, something which I'm a little embarassed to admit in hindsight. Granted it was while I was scrolling around on my phone and didn't feel very in the mood to watch it but I didn't even bother throwing it in the Watch Later playlist as I usually would. It's made even funnier by the fact that somewhere through the video, I went to go subscribe to the channel that made it only to find out I was already subscribed (Harder Drive is also a very good video that I recommend watching).

There's very little that I disagree with in this video, the best I can come up with is that the example of MITM neglected to mention that someone that's sitting near you could also be intercepting a wireless connection or something like that, rather than just that grand scale example. Basically every website that I host has HTTPS set up with a best-to-my-ability configuration. Most of that I just inherited configurations from other websites that genuinely need it because I do think that both Flashii (as an identity provider) and Patchii (where the underlying code is authored) are websites where encrypting traffic definitely makes sense, for my personal website flash.moe it doesn't really matter that much... The main reason why I continue to bother with it boils down to "well I have the configuration set up already anyway, so I may as well" along with the weak vague promise of integrity, since MITM attacks could also be used to modify information presented to a user, and nowadays with the introduction of the social pressure scary screens browsers pull up along with the disabling of entire swathes of APIs in the Javascript context. One of these probably stands out like a sore thumb, doesn't it?

Social pressure is one of the most powerful weapons there is. I don't know if that term really encompasses the meaning I'm trying to convey, but for the scope of this argument I think it will do as a fine stand-in. I started messing with websites in about 2011. Back then "insecure" websites were definitely still the norm but browsers didn't make a big deal out of that, which makes sense considering demanding every small website to fork over 300 bucks (generous estimate) for a basic TLS certificate wasn't very reasonable and free options were not available. So rather than indicating in the URL bar that a website wasn't secure with a warning triangle, it would put more emphasis on the fact that a website did have TLS-provided encryption going on, sometimes making the entire URL bar green! One side effect of that is that that perceived exclusivity did make it look really cool (to me at least), especially with the way EV-certificates used to also show the name of the company the certificate was issued to. EV-certs having this special highlighting was eventually killed off because it turned out to be very easy to spoof and abuse because of assumptions a user was essentially told to make based on it, but that same argument could again be applied to the way HTTPS in general is talked about in the current meta. Anyway, because of that I was pretty quick to jump on the Lets Encrypt train when that service was made available to the public to set up my websites with free TLS certificates. I'm extremely hesitant to refer to ACME protocol providers like Lets Encrypt as trojan horse because I do believe that a majority of the people working on it do so with the best intentions (sure, road to hell and all), that's ultimately what it has ended up being hasn't it?

About a year or two ago I was helping someone get a little blog website going and setting up the HTTPS business was the biggest hurdles to getting things up and running, I'm not sure if she would've bothered to continue setting it up if it weren't for me being there to answer questions regarding the process, and that's understandable because despite the importance that's placed on having HTTPS configured it remains a massive pain to debug. Most probably don't even consider setting up their own website anymore and opt for a Substack, a Medium or whatever other flavour of the week platform can then hold your work hostage. Ultimately it's hard to look at the toxic max-security mindset as anything other than the needless adding of hurdles and while not intended by many of the people pushing it, its definitely by design and a tough thing to resist against given the big corpos that want to enforce these hurdles are also the ones that control the software used to browse the world wide web. I don't think it's unfair for someone to be turned away from visiting a website when they are met with the massive DANGER DANGER DANGER NO CERTIFICATE OF PROSTRATION warning.

Really loved the way he abused the protocols to work as suboptimally as possible, that was very funny to witness. I also enjoyed his serious rejection of the notion that writing your own crypto related code is illegal.

//i.fii.moe/21P1ItdOAFC6CT.png

make www now