11-08-2020, 02:25 PM
(This post was last modified: 11-09-2020, 12:53 AM by BronzeBeard.
Edit Reason: I suck at grammar.
)
(11-08-2020, 01:41 PM)fsflover Wrote: Encrypting all websites is extremely important even if you have nothing to hide related to this particular website. For example, HTTPS protects you from middle-man attacks where someone can hijack the Javascript and inject malware into it. See also: https://www.eff.org/encrypt-the-web.
No one is arguing against encrypting all websites. The argument is against forcing redirects if someone chooses to not use HTTPS.
Windows, Android, and iOS devices are massive privacy and security risks. Should we force everyone who owns those devices to use different operating systems because we deem them to be security risks? That's the same idea behind forced redirects of HTTPS.
The article you linked, I completely agree. Every website should have HTTPS. Everyone should use HTTPS Everywhere. Hell, I think HTTPS Everywhere should be built into all major web browsers and enabled by default.
However, I disagree that websites should stop offering static content via http as well. It's the user's choice if they don't want to use HTTPS, and in many cases there are valid reasons why.
Even so, lets look at EFF's arguments against HTTP that you linked:
Quote:For example, it's how GCHQ and NSA took over a Belgian ISP's computers.Well, 99.5% of active consumer devices computers in the world are using Windows, Android, or iOS, and all three already have NSA backdoors. So that's moot.
Quote:Content injection is also how China took down GitHub with a massive DDoS attack, dubbed "The Great Cannon".
While this might be how China DDoS'd GitHub, I'm sure they have many more tools in their arsenal. They are a multi-trillion dollar authoritarian nation state after all. In fact, I would imagine they have agents working at GitHub and/or Microsoft that could sabotage the site just as easily if they wanted to burn the asset.
Quote:Content injection is also becoming popular with ISPs.
Change ISPs, sue, pester your congress critter, sue some more, or start your own (which might require both suing and your congress critter...) But the bad actions of your ISP shouldn't dictate how I consume content. Just as I shouldn't dictate your use of Windows because it's less secure than OpenBSD.
Anyway, none of those, except maybe the DDoS are reasons to force users to use HTTPS. Those are all reasons consumers should use HTTPS. As a provider, you should offer content however your consumers want to consume it. Some consumers have a valid reason to consume things via unsecured methods.
In the case of the DDoS, sure it mitigates that attack method by a major nation state. But to be honest, anyone can take down any server given enough resources.
Pine64 gives you the option to use http or https. If you're concerned about your privacy and security, use the later. The former won't bother you in anyway, unless the website is being targeted, and even then, there is greater security risks here, like MyBB.