xdaniel

Hey there~

📜 Hobby programmer, ROM hacker, retro computers & consoles, anime & manga fan, sometimes NSFW?

🌐 🇩🇪/native, 🇺🇸🇬🇧🇦🇺/good, 🇯🇵/へた

🔒 @xdn-desync

📷 via Picrew by 🐦kureihii https://picrew.me/image_maker/1272810


⛏️ The Cutting Room Floor
tcrf.net/User:Xdaniel

xkeeper
@xkeeper

i got yelled at once for saying i should be able to disable https if i want in some cases. how dare i encroach on security!!!!!!

99% of the time you don't need shit to be secure. you won't care. but i find that it's increasingly like those public cctv and security cameras you see everywhere: it's suffocating, and critically, it also kills off every alternative, old client out there.

like, great, yeah. you require tls 1.3, and the latest certs to be installed. anything that's too old to get an update now? dead. there's nothing you can do. an end user is completely unable to do anything about these issues outside of buying a new device.

you have something retro you want to get online? too bad. have fun setting up a bunch of weird proxies to get around things. you want to download old software? guess what: it's often also hosted on these sites with higher requirements. you can't download k-meleon on older systems, a browser that tries to support newer encryption protocols specifically for older shit, because... the download system requires the modern ciphers and refuses anything else.

i think the most damning thing of all is that, as much as Google is leading the charge in enforcing these, showing scary NOT SECURE!!!!!!! if you dare to use http for anything... their shit still works with it. i'm pretty sure if you dump google.com in windows 98 internet explorer, it will still dutifully load an old search page, that, critically, still works.

my take on it is just: do you need it? do you really need five layers of web security for every single operation you do? i'm not saying it all should go away; banks and other websites that take personal information shouldn't be insecure. but the vast majority of the web doesn't need this. your geocities-aesthetic page does not need the finest encryption the nsa can provide. 99.999999% of the time nobody is going to give a shit.

but the fact that it's on, with no option to ever turn it off, means that you have no option but to upgrade to the latest and greatest. if you have something old, it could still be fully working; but they swapped the locks on you, so you can't use it any more.

disclaimer

i can rant about these things precisely because i have no impact on them. nobody is going to read this and turn around to go "wow, we should turn https off entirely!" because i ranted about it some. if you show up and go "wow so you just want everyone to get MITMed and hacked forever, huh" i will kick you in the nuts or nuts-equivalent and push you down a flight of stairs.

if you do this you are showing up to the old guy with a waist-length beard holding a cardboard sign saying "OLD WAS BETTER" and trying to argue with them, and i will instead beat you with the sign. let me have my fun. you are never going to feel the impacts of my rants, because they don't exist. but you might feel what i'm ranting about.


You must log in to comment.

in reply to @xkeeper's post:

There's an especially insidious wrinkle to this in web APIs. Many newer web APIs can only be used for documents served via a "secure context", which means served via HTTPS. Even for completely static single-file applications that never so much as make a single network request. Despite the claims on that MDN page, some browsers don't even allow these features to be used on documents opened from a local filesystem, and you can expect this to get locked down tighter over time.

Web-Decker will probably never be able to prompt the user to take a webcam photo, or access gamepads on firefox, or save a file in-place, because in addition to quite reasonable affirmative-consent-gating dialog boxes, there is this bullshit HTTPS constraint.

Secure Contexts are a very deliberate choice to ratchet applications toward HTTPS, and HTTPS is in turn a ratchet to kill old software.

i think part of the motivation for this is that lots of new web platform features are too dangerous to allow over regular http. so instead of leaving dangerous features out of the platform we just make sure everyone has to go https or go fuck themselves

Yeah, a friend once gave me the suggestion to configure my own site to only allow HTTPS for security, which felt silly when I don't even expect it to get enough attention to be targeted by an attacker, and would go against the whole point of the site which was to have it be fully viewable under Internet Explorer 6

I still have HTTPS of course, and anyone who's serious about security will set their browser to HTTPS-by-default anyway, but there's no point taking the option of unencrypted HTTP away from my site and breaking that backwards compatibility just to provide an entirely hypothetical level of security for a small handful of people who choose to view it this way on a modern browser

I feel this in my bones. There have been so many legacy devices in environments that I worked in required me to maintain a laptop or vm or something with an ancient browser version because modern browsers just flat out refuse to connect to them.

I am purposeful about allowing people to access my site via both http and https, and only forcing https wherever auth is concerned. Because there's a lot of shit that breaks when only https is allowed, such as transparent caching proxies (which are important in areas with poor bandwidth/access).

I used to have it such that my site would serve up entirely different sites on http vs. https, and when I worked at a search index company a few years ago I made a point to bring that up whenever anyone was assuming that http and https URLs are equivalent (our index didn't even track the scheme of URLs! it was maddening!) and like, yeah, it's an edge case, but edge cases are what make things break.

that’s an example of “where auth is concerned” though. like yeah if there’s a login cookie, then you need https. if the cookie doesn’t involve auth, though, why do you care if it gets stolen.

once I was using a 10 years old laptop and the rtc battery died, leaving it to a date if 1/1/2000. My browser freaked out when I tried to access google because the certificate was far into the future. It already used https pinning so I couldn't use http. I had a lot of trouble searching how to adjust the clock on linux that day.

what we have set up on ahti.space, sortix.org, etc is to redirect to HTTPS if your browser sends the Upgrade-Insecure-Requests header (sent by default on modern browsers) but still allow access over HTTP otherwise

I don't understand why that's not more common – it doesn't introduce any new attacks for modern browsers (if you are in the position to strip off the Upgrade-Insecure-Requests, you are in the position to just proxy the entire request), still automatically upgrades the connection to HTTPS for modern browsers that default to plaintext HTTP when you don't include the protocol, and allows me to access it on any random retrocomputer I have. I guess once TLS 1.4 starts becoming required we might need to rethink the setup to allow TLS 1.2 / 1.3 only systems that send the header to connect, but that it not a lot of maintenance burden at all

Google is shit.
I remember reading an article about problems caused by them lobbying to require https everywhere (around time that HTTP2 / SPDY etc. was being pushed and before i first heard of Let's Encrypt as a tool) especially in third world countries. Missionaries in schools on far end of the globe with access to the Internet only via satellite had extra trouble getting materials (even as basic as opening some wikipedia page) due to extra packets going through high error-rate connection. They had some caching put up in place so they could revisit previously opened pages without dealing with their satnet limitations, but it only worked for non-secure http.

And now i tried to look for that article again. Of course google's search focused on the fact i want to learn about satnet, or missionaries, or socio-economic problems in Africa, completely ignoring that i put HTTPS there as the first word in my damn query.
It effectively buried the thing under its "i know better what you'd want to read, buddy".