It was supposed to be a noble effort to make encryption in the web more accessible to every webmaster. Which is a good thing. But instead it became hijacked by more extreme and loud voices which wanted to drop port 80 altogether and force everyone to use TLS whether it was really necessary or not. And in most cases it wasn't; imagine locking a public library's door for the whole hours of operation and having to knock loudly to the librarian inside to open the door for you (and they will lock it again after you enter, and you will have to call the librarian again to unlock the door when you go out), and replacing all the glass facing outside with exterior privacy glass (not to protect the readers' privacy; you've already put the reading areas out of view from the glasses, but to prevent people outside from seeing the bookshelves full of inoffensive books). There are no money or valuables inside (so there's no reason at all to even do a burglary); everyone is free to read and take and put any book. That's how silly the so-called "secure web" is right now.

It might've been fine.. if it didn't forcefully obsolete forward proxies like Polipo dedicated to caching and speeding up the web nearer to the client-side. So-called "security experts" would tell you this is fine; because after all they would need to act like a "man-in-the-middle" and therefore break HTTPS, which makes them very evil (even though you have the choice of not using the forward proxy). Also they pretend that you cannot communicate with the forward proxy with TLS and still enjoy caching, so they will fearmonger about how you are putting yourself under the mercy of passive surveillance and tampering by the oh so scary "free wifi" and home ISPs who will inject ads and tracking scripts in the "insecure" HTTP website you're browsing (which if it isn't obvious already can be easily countered by using a forward proxy over HTTPS, or a VPN, or Tor). Use the "free" CDNs like Cloudflare to regain back that speed and latency savings they will say! Just ignore the fact that it is also a MitM, that it is invisible to the average user, and even if they know about it, they can't force the origin server not to use the third-party MitM, because it is the only gateway.. So everyone is at the mercy of the intelligent webmaster's choice of MitM whether they like it or not. But come on, Cloudflare worked on HTTP/2 and 3, ESNI (which became ECH), and DoH, surely that must mean they are benevolent and are not looking to use those extensions to further centralize the web!

So we have an almost HTTPS-only web where every webmaster just trusts Cloudflare to handle all of their website, which means not just the static assets (which is a perfectly fine usecase for CDNs), but also sensitive data they should have no business breaking in like your cookies and passwords. And a web very hostile to clients having full control to their caching (because obviously only gateways know best for us).

I feel safer, secure, and so blazingly fast in this brave new web guys!!

Comments

emma wrote on September 22, 2024 at 9:50 AM

#21,233

i've seen projects be deployed to production with NODE_TLS_REJECT_UNAUTHORIZED=0, thus disabling certificate verification for any tls connection made by the application, because now we need https during local development which is a huge pain in the butt to set up.

nitori OP wrote on September 22, 2024 at 11:07 AM (edited on September 22, 2024 at 11:07 AM)

#21,235

Replying to emma (#21,233)

Oof yeah https in localhost fucking sucks lol. And funny you mention that since yesterday I did some python exercise in university where I basically made a very simple TLS server and a TLS client connecting to it exchanging raw data. It's supposedly an example of a "VPN" for my "Information Assurance and Security 2" course but I didn't see any VPN or IPsec shit in the sample code lol (professor still approved tho when I showed the code working). But it did need a self-signed cert in the server and the client specifically trusting that cert in its cafile= for ssl.create_default_context, which the lecture didn't hint at all, or try to disable the certificate verification in the sample code given (just learned right now I could've added CERT_NONE in the ssl context to disable cert verification, but eh :P)

flabberghaster wrote on September 22, 2024 at 3:33 PM

#21,246

I think not everything needs to be HTTPS; like I don't care if the NSA knows I'm reading web comics generally speaking. But the push for everything to be https is kind of more about the non technical users, who don't understand what should and shouldn't be.

You want them to be mistrustful of a non HTTPS site that asks them for payment or login information, because it's marginally harder to set up a phishing site with a valid cert (or it was...) Than it is to just make it straight HTTP so the browser doesn't say "yo dude this site's cert is a little fishy".

That and there were cases of people getting their login credentials stolen at the coffee shops because bad webmasters were not securing things they needed, and now most browsers won't even let that happen. So I think it is marginally better.