Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Clients cache HTTPS (Score 2) 178

The web browser caches resources delivered through HTTPS the same way as resources delivered through cleartext HTTP. The only thing you lose is being able to cache on an intermediate proxy, but that is relevant if you're splitting one dial-up connection among multiple clients.

Then there is the issue of small timers who want to serve a web page from home, using an old computer and dynamic hostname.

File a support ticket with your dynamic DNS provider to request addition to the Public Suffix List. If a dynamic DNS provider is on the Public Suffix List, Let's Encrypt issues 20 certificates per customer per week instead of 20 per provider per week. The other benefit of being on the PSL is that sites on the same dynamic DNS provider can't see each others' cookies.

Comment Re:Router, printer, NAS, and other FQDNless device (Score 1) 178

Let's Encrypt has short-lived certificates, which are kinda useless and annoying when you have a device that is *not* a general-purpose computer capable of running their scripts.

What is the web server itself running on if not "a general-purpose computer"? If a special-purpose computer locked down to run only particular web server software, this particular web server software can include an ACME client. Certbot is not the only ACME client that can retrieve a certificate from Let's Encrypt or another ACME CA.

Am I really going to do a manual process on every cable modem, WAP, router, printer, switch, AP, IoT device, etc, every 3 months?

No. The manufacturer of "every cable modem, WAP, router, printer, switch, AP, IoT device, etc" will include an ACME client (or some other means of renewing a certificate) in the software package that runs the web server in said device.

The real problem is configuring which domain a device uses, as Let's Encrypt issues only 20 certificates per domain per week under a particular registrable domain based on Mozilla's Public Suffix List. And I'm told it takes months for a dynamic DNS host or other subdomain provider to get onto that list. But if you manufacture hardware devices or publish commercial software, as opposed to gratis software that a user can install on a generic computer, you can do what Plex did: become a reseller for some trusted CA to issue certificates for subdomains of your domain.

Comment Re:In a groundbreaking statement now (Score 1) 178

The path and query string themselves are enough to infer "people's information". With cleartext HTTP, a passive attacker can infer which medical condition you looked up on Wikipedia or WebMD. With HTTPS, an attacker can see the server's hostname in the Server Name Indication of the ClientHello message, such as en.wikipedia.org or www.webmd.com, but everything else is encrypted.

In addition, even when "people's information" is not "transmitted over the wire", the viewer's ISP can still inject advertisement scripts into a cleartext HTTP connection.

Comment False sense of security from self-signed cert (Score 1) 178

It's of course very weird that browsers treat unvalidated https as *worse* than http, in terms of scaring the user.

Cleartext HTTP gives the user a true sense of insecurity, as the scheme portion of the URL doesn't say https. Self-signed HTTPS gives the user a false sense of security, as it increases the chance for MITM to intercept the connection, unless the user has already verified the certificate fingerprint out of band. (It shares this false sense of security with SSH servers that don't publish server key fingerprints elsewhere.) I guess Mozilla considers the sense important to users' privacy and safety.

Comment Secure Contexts (W3C CR) (Score 1) 178

If the Standard call for a feature to work on Both HTTP and HTTPS, and you implement only HTTPS, then is not an standards compliant implementation...

Nor does an implementation comply if the browser implements it over cleartext HTTP but the standard specifies that it shall not work over cleartext HTTP. A growing number of web standards specify such, citing things like the W3C Candidate Recommendation "Secure Contexts".

Those heavy-handed tactics could work when your market share was about 50%, but not anymore...

That'd be a good comeback if plurality browser Chrome weren't also doing it.

Comment Re:Loyal Firefox user for over a decade now. (Score 1) 178

So, if you have a huge compute infrastructure like Google does, SSL isn't much of a problem.

Modern server CPUs contain AES instructions that make TLS bulk encryption efficient. If the computation cost of TLS were a practical problem, you'd be seeing the problem on your client whenever you browse Slashdot, SoylentNews, YouTube, or any other HTTPS site. Any website that's more than a collection of static documents has data storage, application logic, and presentation layers on the server side, and these probably use significantly more CPU time than TLS does.

Comment Cleartext HTTP vulnerable to script injection (Score 2) 178

I run several websites, and not a single one of them needs HTTPS for anything.

How do you assure visitors of the several websites you run that the markup, stylesheets, images, fonts, and possibly scripts on your site have not been modified in transit by an intercepting proxy between your server and the viewer's machine? Comcast, for example, has been shown to inject advertisement scripts into HTML documents delivered through cleartext HTTP.

OMG, a MITM might substitute fake data! How awful!

Thus you answer your own question. It is awful.

Slashdot Top Deals

Executive ability is deciding quickly and getting somebody else to do the work. -- John G. Pollard