Doesn't that mean that technically, any node in the network between you and your reader can mutate the contents of the blog in-transit without anyone being the wiser (up to and including arbitrary JavaScript inline injection)?
Probably a low-threat security risk for a blog.
Yes, hotels were injecting ads on their free WiFi - https://news.ycombinator.com/item?id=3804608
ISPs have been known to do the same thing.
Devil's advocate, but maybe ISPs should all inject ads to make a point. They make money, and anyone using HTTP gets taught a free lesson on what MITM means
Before turning on the dude who thrives to keep the internet free, fix your corporate laptop that does MITM even for HTTPS connections.
"Free" for fraudsters to get their pickings, maybe.
I own a personal laptop?
I'd be happy if EU outlawed this instead of outlawing encryption.
But indeed, the ability to publish on my own outweights the risk of someone modding my content.
Most of us here read their news from work laptops, where the employer and their MiTM supplier are a much bigger threat even for HTTPS websites.
This puts the question into my brain, which I have never thought to pursue, of whether you could offer a self-signed cert that the user has to install for HTTPS.
Their client will complain loudly until and unless they install it, but then for those who care you could offer the best of both worlds.
Almost certainly more trouble than it's worth. G'ah, and me without any free time to pursue a weekend hobby project!
> for those who care you could offer the best of both worlds.
You're not really offering that because the first connection could've be intercepted.
Too true. The old model is that you have to sneaker-net that first step. To get someone's public key, you'd literally meet them in person and they'd hand you a copy. We don't do that anymore.
I can imagine alternate approaches (service that stores personal keys on an HTTPS server signed via a public cert, keys in peer-to-peer filesharing with the checksum provided side-channel), but that gets increasingly more elaborate for diminishing return.
For a blog, i think the bigger risk is pervasive surveilence - gov reads all the connections and puts you on a list if the thing you are reading has the wrong keyword in it.