On Thu, 17 Sep 2015, grarpamp wrote:> Is there some reason "freebsd.org" and all it's > subdomains don't immediately 302 over to > https foreverafter?Is there a reason to encrypt something that is completely public? Perhaps to allow the visitor to conceal the fact that they are interested in FreeBSD? That won't work, since the IP address of the server can't be encrypted. I feel like I am missing something. dan feenberg
> >> Is there some reason "freebsd.org" and all it's >> subdomains don't immediately 302 over to >> https foreverafter? > > Is there a reason to encrypt something that is completely public? Perhaps to allow the visitor to conceal the fact that they are interested in FreeBSD? That won't work, since the IP address of the server can't be encrypted. I feel like I am missing something.Privacy is often important, but authentication (i.e. not having content tampered with) may be more important in many cases. The US and UK governments are owning sysadmins who browse non-HTTPS sites: http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html <http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html> https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/ <https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/> The Chinese government hijacked non-HTTPS sessions to inject DDoS javascript: https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack <https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack> If often-used sites migrate to HTTPS (together with HSTS) these attacks will become a lot harder. I?m also seeing more demand for HTTPS from customers. In Europe there has been a lot of mainstream coverage of tech privacy issues, and various non-technical people now distrust sites that don?t have ?a lock?. So it also has credibility/PR benefits to use it by default. There is always effort involved in making the switch, but for most sites and applications this is probably not an unreasonable amount given the benefits. -- Walter Hop | PGP key: https://lifeforms.nl/pgp
Daniel Feenberg <feenberg at nber.org> writes:> Is there a reason to encrypt something that is completely public?Watering hole attacks. DES -- Dag-Erling Sm?rgrav - des at des.no
On Fri, Sep 18, 2015 at 07:45:29AM -0400, Daniel Feenberg wrote:> Is there a reason to encrypt something that is completely public? > Perhaps to allow the visitor to conceal the fact that they are > interested in FreeBSD? That won't work, since the IP address of the > server can't be encrypted. I feel like I am missing something.There may be no reason to encrypt it, but there's plenty of reason to authenticate it. That is, when you browse FreeBSD.org, you'd probably prefer to know that the content wasn't modified in transit to include a 0-day JavaScript exploit. -nd.