new | ask | show | jobs
cowl 7 days ago  [ - ]

This is to be honest a little unfortunate. While Https is very important, do we really need to verify that Blog X that I may read once a year is really who they say they are? For many sites it doesn't make a lot of sense but we are here due to human nature

throw_a_grenade 7 days ago  [ - ]

The problem is not the site, but the network in the middle. On-path attackers typically don't care about which site they MITM in order to inject javascript e.g. to show ads, insert tracking tokens or hijack the browser for other purposes. The site is the vector, not the target.

bell-cot 6 days ago  [ - ]

Sounds like a great argument for keeping js disabled in my browser. Because "httpS://" does nothing whatever to sanitize the js that it delivers. And one perfectly legit site may pull in js from two dozen or more different servers. Zero of which are magically guaranteed to only deliver benevolent code.

Vs. `traceroute` suggests that would-be on-path attackers are up against a vastly smaller attack surface.

DaSHacka 6 days ago  [ - ]

> Sounds like a great argument for keeping js disabled in my browser. Because "httpS://" does nothing whatever to sanitize the js that it delivers. And one perfectly legit site may pull in js from two dozen or more different servers. Zero of which are magically guaranteed to only deliver benevolent code.

See:

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

bell-cot 6 days ago  [ - ]

Yes, great. When used. And maintained. All the way down the foo.js => bar.js => baz.js => etc.js chain.

Might you know which js blockers support "only with 'integrity='" conditionals?

eadmund 6 days ago  [ - ]

Ironically, this Google page itself fails to work without Javascript enabled!

bell-cot 6 days ago  [ - ]

Ironically? For maximum monetization, Google needs js, to turn "your" web browser into their web browser. https://news.ycombinator.com/item?id=42747092

cowl 6 days ago  [ - ]

most sites pull blindly pull and exec JS from their vendors, especially adds / tracking. you don't need a MITM attack on the site, plenty of supply chain issues for which https does nothing.

hermannj314 6 days ago  [ - ]

I stopped reading all print media, obeying any physical traffic signs, or having conversations on the phone etc. years ago.

I'm not going to drive 35mph without a trusted certificate authority verifying that sign wasn't tampered with by a MITM. My grandma tried to tell me she loved me over an unencrypted and insecure phone line the other day - nice try, hackers!