Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The people getting their money and accounts stolen care. The blog owner cares about the reputational hit. People who care about the success of the web care because it makes the web more risky than people using mobile apps.


Yes and if you slit your wrists with a knife you will likely die. Do stupid things, bad things happen. Stop nannying people.


So visiting a website is doing a stupid thing? Your recommendation is essentially telling people to stop visiting websites or accept bad things will happen to them. This is not a healthy viewpoint for growing the web.


The stupid behaviors listed above are putting your google password or payment info into a random blog, or running a program it gives you because it says you need to update.

Doing that is stupid whether it's http or valid https or broken https.


Okay, but if a user went to a http version of YouTube and put in your payment info to buy a movie, as opposed to remembering it should take him to an https Google page, I would find that a plausible situation that is hard to blame the user for. Attackers being able to hijack the reputation of sites is problematic.


> Attackers being able to hijack the reputation of sites is problematic.

And the whole point of this thread is that some sites have 0 reputation to hijack.


Youtube does not have 0 reputation. The point of this thread is arguing the merits of requiring sites that don't handle sensitive informationfto use https.


Nobody mentioned YouTube until your previous post. The example of 0 reputation was a ten year old blog post found via a comment.

And "logins" were explicitly listed as important to secure, in that same comment. So that double covers YouTube for just about everybody.


> The people getting their money and accounts stolen care.

> People who care about the success of the web care because it makes the web more risky than people using mobile apps.

The main comparison here is whether a middleman injected it or the blog inserted it server-side. The level of risk is similar either way.

> The blog owner cares about the reputational hit.

If the blog hasn't been updated in ages, they probably don't.


>The level of risk is similar either way.

There is still risk, but this is a form of risk which is not neccessary and can be reduced.

>If the blog hasn't been updated in ages, they probably don't.

We are talking about blogs that don't use https because they don't sell things. Expired certificates are out of scope of this comment thread.


> There is still risk, but this is a form of risk which is not neccessary and can be reduced.

It reduces it a little bit. But if you drop the risk of a random site being malicious by 25% that's not a very important change. The user still has to be wary. That reduction is not worth anything as drastic as blocking the site.

> We are talking about blogs that don't use https because they don't sell things. Expired certificates are out of scope of this comment thread.

I got the impression we were primarily talking about broken https. It's definitely not out of scope entirely:

"If it says the certificate for your bank is expired, you need to stop. If it says the certificate for the 10 year old public blog post that was linked by a 5 year old Reddit post as describing the solution to your problem, that should not matter, and you just want to read the non-secret contents of whatever is on that page regardless of whether the site's maintainer turned on HTTP to HTTPS redirects and then neglected to renew the certificate."




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: