Jun 13, 2018, 22:58

Jun 13, 2018, 22:58

I /really/ need to add http://n-gate.com to my rss reader because it’s *so good*. This is the best description I’ve ever seen of the Microsoft acquisition of Github.

**Tyil** @tyil@mastodon.social · Jun 14, 2018, 16:08

**Tyil** @tyil@mastodon.social · Jun 14, 2018, 16:08

@wxcafe Interestingly, n-gate doesn't seem to support https.

Jun 14, 2018, 16:10

Jun 14, 2018, 16:10

@tyil doesn't matter?

**Tyil** @tyil@mastodon.social · Jun 14, 2018, 16:11

**Tyil** @tyil@mastodon.social · Jun 14, 2018, 16:11

@wxcafe Maybe if security doesn't matter to you. Especially given how easy and cost-free it is to set up these days.

Jun 14, 2018, 16:31

Jun 14, 2018, 16:31

@tyil ain’t no point in setting up https for a static site with no exchange of information. Literally who cares.

**Tyil** @tyil@mastodon.social · Jun 14, 2018, 16:46

**Tyil** @tyil@mastodon.social · Jun 14, 2018, 16:46

@wxcafe HTML is information, and the purpose of HTTP is to exchange it.

Anyone intercepting the connection at any point can still inject stuff (like scripts), even if the original host only provides static content. And anyone can still read out the entire message and use it for personal/meta data harvesting.

Anyone understanding what the words "information", "exchange" and "security" mean would care.

**Nick Farr** @nickfarr · 2018-06-14T18:12:42Z

Nick Farr @nickfarr

@tyil @wxcafe I mean, I agree that not using TLS is just kinda lazy now, but if I had the capability to pull off the cleartext packet injection attack you're describing literally what prevents me from just rerouting your next DNS request to a fallback insecure host of my own for more pwnage?

Jun 14, 2018, 18:12 · Tusky · 0 · 0

Jun 14, 2018, 18:14

Jun 14, 2018, 18:14

@nickfarr @tyil look don’t try, this person clearly grasps basic concepts of “information”, “exchange” and “security” better than we do, we can’t compare

**Nick Farr** @nickfarr · Jun 14, 2018, 19:05

**Nick Farr** @nickfarr · Jun 14, 2018, 19:05

@wxcafe @tyil LOL, I'm not even considered "technical" by most of our mutual friends.

**Tyil** @tyil@mastodon.social · Jun 14, 2018, 18:15

**Tyil** @tyil@mastodon.social · Jun 14, 2018, 18:15

@nickfarr @wxcafe I'm not saying that applying TLS is the absolute cure-all for security vulnerabilities. We all know that's not true (I hope).

But it would prevent certain attacks for next to no cost. This faulty concept that some people have that plain-text sites are somehow secure by default is harmful to propagate, and I'd rather people not do that. Which is why I tried to explain that part.

**Nick Farr** @nickfarr · Jun 14, 2018, 19:03

**Nick Farr** @nickfarr · Jun 14, 2018, 19:03

@tyil @wxcafe And herein lies the crux: cost/benefit.

Just as there's no magic bullet for security, nor should anything be assumed as default secure, one can't be dogmatic in telling a total strangers what their threat model or cost/benefit is.

I've seen lots of people introduce new security holes trying to make TLS work in their environment. LE made it soooo much easier, but in shared environments (i.e. most hosting), TLS is still non-trivial.

**Tyil** @tyil@mastodon.social · Jun 14, 2018, 19:12

**Tyil** @tyil@mastodon.social · Jun 14, 2018, 19:12

@nickfarr I agree with you, don't get me wrong.

I just wanted to clear up to that person that static pages aren't "secure" any more than other pages. In reality, all content transmitted over HTTP are static pages.

**Jasper** @jasper@pointless.net · Jun 20, 2018, 18:59

**Jasper** @jasper@pointless.net · Jun 20, 2018, 18:59

@nickfarr
@wxcafe

The DNSSEC signatures on the DNS records?

**Nick Farr** @nickfarr · Jun 20, 2018, 21:13

**Nick Farr** @nickfarr · Jun 20, 2018, 21:13

@jasper @wxcafe While absolutely true...how likely is it that the resolver doesn't support it and the domain is unsigned? Probably pretty good.