Regular reminder that if you don't run your site on HTTPS you're doing yourself and anyone who visits your site a disservice.
This is double extra true for anyone doing ANYTHING related to sex. Even if your hosting provider is cool with what you're hosting, you owe it to the people who use your site to protect their privacy by preventing their ISP and any intermediary from knowing what they're looking at.
If nothing prevents bad behavior from an ISP, and it has happened before, then you should assume it’s happening. This extends to injecting JavaScript apps into insecure connections.
Unless you trust every hop from your browser to the destination server (and back), assume anything unencrypted can and will be inspected (and potentially tampered with). Encrypt everything you can.
@Seirdy@dflxh@amy My "favourite" is still Verizon injecting a unique ID into outgoing HTTP requests so that it could be used for targetting ads at the servers end.
@amy And how https prevent ISP, my mom or the guru of the sect next door to just read the domain name or visiting the site themselves. TLS hide what is being told between the site and the browser not who speak.
@shalien yeah, sure. But consider this: making a site HTTPS makes the job of anyone who cares about their privacy dramatically, wildly, easier. With Chrome and Firefox also both rolling out DNS-over-HTTPS (DoH) built-in to the browsers, this means many people will soon be immune from their ISP (but of course not their web browser or the DNS resolver) seeing what they're browsing. Helping people pick different DNS servers is also a challenge that needs to be dealt with, but there's still so much actual content that needs to be encrypted!
Tor is a non-answer for virtually everyone using the internet. It's confusing, obtuse, and also large corps (and nations) run exit and relay nodes to spy on the obfuscated traffic and de-anonymize it. Content encryption from origin server to client is mandatory for a secure internet.
@shalien well, it's reasonable to be suspicious of centralized control and that's also something that's worth tackling, but in the interim it's really important to get the web encrypted. Even if corporate CAs aren't ideal, servers configured and setup to encrypt traffic will be easier to migrate to a new encryption mechanism than those that haven't yet done the work, because it's likely that future schemes will have a similar, but more distributed model.
As an example of one of the organizations making improvements here is Let's Encrypt run by ISRG. A non-profit organization running automated free certificate issuance. They've issued certificates to over 350 million sites.
@amy@shalien Also the whole system of CA is complex but there are definitely checks and other entities that have shown they care about dealing with shady CAs. It is not perfect, far from it, it is not fully trustable, but it is definitely progress vs not encrypting.
@amy@shalien I'm extremely unconvinced that DoH is good for the average person's privacy. It takes a situation where each ISP can snoop on their own users (but many probably won't) and instead concentrates everyone's data at a very small number of huge (and historically, abusive) companies.
Sure, you could change the defaults, but most people won't and this is a worse situation to normal DNS.
I certainly trust my ISP ( @aaisp ) not to snoop more than I trust #cloudflare !
Add comment