Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sorry; but this is just ignorant. If you request a carrot cake recipe but receive a modified recipe that uses arsenic instead of carrots.. Without https, this kind of thing can easily happen. You think you are downloading poison control instructions but instead the instructions are modified; causing death or injury. HTTPS is not for "sensitive" data but for the integrity of all data. Imagine going to a voter registration page in Africa; you show up at the address and it's an ambush by anti-democracy militants because they were able to hijack the information on the official website.

The 1990s bullshit opinion that HTTPS is somehow only for 'sensitive' data is very destructive to a safe Internet.



> If you request a carrot cake recipe but receive a modified recipe that uses arsenic instead of carrots.. Without https, this kind of thing can easily happen

I can easily get struck by lightning when I go outside in the rain. I can easily get eaten by mountain lions who break out of their cages when I go to the zoo.

There being a one in ten million chance of something happening doesn't dismiss all of the valid concerns the linked article raises.

The importance of HTTPS' added security is something for both the host and user to consider. The host can choose not to implement it, and the user can choose not to trust/view the data if they have even the slightest possible reason to believe their data might be modified maliciously in transit; or tracked for some sort of profiling that they want to avoid.

As it stands, I'm weary about accessing any Chinese servers without HTTPS; but I'm not at all concerned about my ISP or government MITM'ing my connections to Ars Technica for nefarious purposes. Nor do I care in the slightest if my ISP knows I read a story there about Norway planning to drop FM radio transmissions.


> the user can choose not to trust/view the data if they have even the slightest possible reason to believe their data might be modified maliciously in transit; or tracked for some sort of profiling that they want to avoid.

If every internet user were educated enough to behave in such a way, then I'd say that would be a fair suggestion, but I don't think it's reasonable to expect that the average user is capable of making such judgements.


Then do you support dismantling tech companies who exploit tracking?

If people are too stupid to understand taking an HTTP risk, aren't they also too stupid to risk using Gmail?


+1 And the premise that some commenter on HN should even enter into an argument about which of YOUR data is sensitive is destructive. It's your security. You should decide what imperils it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: