This thread is about a video originally posted by reemo in the good videos thread. I wanted to respond to it but going in in-depth response in a general dumping grounds thread doesn't really work and can even be considered as disruptive to the topic (lol). But this topic isn't a meta commentary on my gripes with general topics, that one will come later.
I'm pretty sure this video already crossed my path sometime last week but I decided not to watch it for one reason or another, something which I'm a little embarassed to admit in hindsight. Granted it was while I was scrolling around on my phone and didn't feel very in the mood to watch it but I didn't even bother throwing it in the Watch Later playlist as I usually would. It's made even funnier by the fact that somewhere through the video, I went to go subscribe to the channel that made it only to find out I was already subscribed (Harder Drive is also a very good video that I recommend watching).
There's very little that I disagree with in this video, the best I can come up with is that the example of MITM neglected to mention that someone that's sitting near you could also be intercepting a wireless connection or something like that, rather than just that grand scale example. Basically every website that I host has HTTPS set up with a best-to-my-ability configuration. Most of that I just inherited configurations from other websites that genuinely need it because I do think that both Flashii (as an identity provider) and Patchii (where the underlying code is authored) are websites where encrypting traffic definitely makes sense, for my personal website flash.moe it doesn't really matter that much... The main reason why I continue to bother with it boils down to "well I have the configuration set up already anyway, so I may as well" along with the weak vague promise of integrity, since MITM attacks could also be used to modify information presented to a user, and nowadays with the introduction of the social pressure scary screens browsers pull up along with the disabling of entire swathes of APIs in the Javascript context. One of these probably stands out like a sore thumb, doesn't it?
Social pressure is one of the most powerful weapons there is. I don't know if that term really encompasses the meaning I'm trying to convey, but for the scope of this argument I think it will do as a fine stand-in. I started messing with websites in about 2011. Back then "insecure" websites were definitely still the norm but browsers didn't make a big deal out of that, which makes sense considering demanding every small website to fork over 300 bucks (generous estimate) for a basic TLS certificate wasn't very reasonable and free options were not available. So rather than indicating in the URL bar that a website wasn't secure with a warning triangle, it would put more emphasis on the fact that a website did have TLS-provided encryption going on, sometimes making the entire URL bar green! One side effect of that is that that perceived exclusivity did make it look really cool (to me at least), especially with the way EV-certificates used to also show the name of the company the certificate was issued to. EV-certs having this special highlighting was eventually killed off because it turned out to be very easy to spoof and abuse because of assumptions a user was essentially told to make based on it, but that same argument could again be applied to the way HTTPS in general is talked about in the current meta. Anyway, because of that I was pretty quick to jump on the Lets Encrypt train when that service was made available to the public to set up my websites with free TLS certificates. I'm extremely hesitant to refer to ACME protocol providers like Lets Encrypt as trojan horse because I do believe that a majority of the people working on it do so with the best intentions (sure, road to hell and all), that's ultimately what it has ended up being hasn't it?
About a year or two ago I was helping someone get a little blog website going and setting up the HTTPS business was the biggest hurdles to getting things up and running, I'm not sure if she would've bothered to continue setting it up if it weren't for me being there to answer questions regarding the process, and that's understandable because despite the importance that's placed on having HTTPS configured it remains a massive pain to debug. Most probably don't even consider setting up their own website anymore and opt for a Substack, a Medium or whatever other flavour of the week platform can then hold your work hostage. Ultimately it's hard to look at the toxic max-security mindset as anything other than the needless adding of hurdles and while not intended by many of the people pushing it, its definitely by design and a tough thing to resist against given the big corpos that want to enforce these hurdles are also the ones that control the software used to browse the world wide web. I don't think it's unfair for someone to be turned away from visiting a website when they are met with the massive DANGER DANGER DANGER NO CERTIFICATE OF PROSTRATION warning.
Really loved the way he abused the protocols to work as suboptimally as possible, that was very funny to witness. I also enjoyed his serious rejection of the notion that writing your own crypto related code is illegal.
make www now
my issue with forced tls in any domain, but especially with http, has always been directly tied to my distaste for the general direction of popular software development trends over the last decade and a half or so. as computing devices have become more popular and accessible to the general public, many companies and organizations in charge of operating systems, web browsers, and general standards have become very heavy-handed in their top down enforcement of what is the "Official Best and Correct Way" of doing things, and that attitude has trickled down to the sentiments of the average peasant programmer taught during this particular epoch
tom brings up the popular notion of "don't roll your own crypto" in the video, which is adjacent to my eternal hobby horse against the infernal notion of "not reinventing the wheel". while i understand the logic behind the former statement as you could unintentionally open attack vectors through implementing any given algorithm incorrectly (not to mention that crypto algos as defined in RFCs are basically magic unless you understand the math behind what it is doing), the uttering of it brings along the same unconscious notion as "not reinventing the wheel" does. you're too much of a big dummy IDIOT, don't even TRY, stay in this little box and the professionals (that we have designated arbitrarily btw) will handle it. if more people were willing to "roll their own crypto", maybe we would have more crypto libraries available to the world and 99.whatever per cent of people wouldn't be stuck with the world's most absurd bottleneck, namely openssh. i wonder if there might be any incentive from bad actors in governments or corporations to mess with that project at all......
that aside, http simply does not need to be sent over tls at all times. i have heard the arguments, the mantras repeated endlessly by those who pretend like they are smart and have original opinions with all the snark, and i just don't buy it. as you've said flash, if you're setting up a website that just sends plain text to the requester there is essentially no reason for anyone to fuck with it, and if they do i frankly don't care. that's your problem, you are the one operating the computer asking for the website, figure out why the hell there are men in your middle and go fucking kill them or whatever you gotta do. the incompetence of the requester is irrelevant to me, i am giving you the data that i know is correct, and i will not waste my time or computing power sending fucking PLAIN TEXT over 4096 bit encryption. it's a waste of my time, my processing power, your processing power, and you've learned nothing about the safe operation of computers in the process. i had a similar issue with that stupid bear camera livestream being over http, which is something i care about people intercepting even less than some text on a website. it's hard enough to get anyone to make anything from scratch on the internet these days, adding more barriers for someone to put up a blog or whatever is not helping this at all especially when it is completely pointless and needlessly time consuming
easily my favorite part of the vid is his subverting of the protocols and algorithms to effectively prove that someone acting in bad faith could negate all of the perceived security given by this blatant waste of processing time, as well as highlighting the absurdity of the steps required just to send a plaintext website over all of this rigamarole. it was a real chef's kiss, i love this guy
tom brings up the popular notion of "don't roll your own crypto" in the video, which is adjacent to my eternal hobby horse against the infernal notion of "not reinventing the wheel". while i understand the logic behind the former statement as you could unintentionally open attack vectors through implementing any given algorithm incorrectly (not to mention that crypto algos as defined in RFCs are basically magic unless you understand the math behind what it is doing), the uttering of it brings along the same unconscious notion as "not reinventing the wheel" does. you're too much of a big dummy IDIOT, don't even TRY, stay in this little box and the professionals (that we have designated arbitrarily btw) will handle it. if more people were willing to "roll their own crypto", maybe we would have more crypto libraries available to the world and 99.whatever per cent of people wouldn't be stuck with the world's most absurd bottleneck, namely openssh. i wonder if there might be any incentive from bad actors in governments or corporations to mess with that project at all......
that aside, http simply does not need to be sent over tls at all times. i have heard the arguments, the mantras repeated endlessly by those who pretend like they are smart and have original opinions with all the snark, and i just don't buy it. as you've said flash, if you're setting up a website that just sends plain text to the requester there is essentially no reason for anyone to fuck with it, and if they do i frankly don't care. that's your problem, you are the one operating the computer asking for the website, figure out why the hell there are men in your middle and go fucking kill them or whatever you gotta do. the incompetence of the requester is irrelevant to me, i am giving you the data that i know is correct, and i will not waste my time or computing power sending fucking PLAIN TEXT over 4096 bit encryption. it's a waste of my time, my processing power, your processing power, and you've learned nothing about the safe operation of computers in the process. i had a similar issue with that stupid bear camera livestream being over http, which is something i care about people intercepting even less than some text on a website. it's hard enough to get anyone to make anything from scratch on the internet these days, adding more barriers for someone to put up a blog or whatever is not helping this at all especially when it is completely pointless and needlessly time consuming
easily my favorite part of the vid is his subverting of the protocols and algorithms to effectively prove that someone acting in bad faith could negate all of the perceived security given by this blatant waste of processing time, as well as highlighting the absurdity of the steps required just to send a plaintext website over all of this rigamarole. it was a real chef's kiss, i love this guy