New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
A necessary but not a sufficient condition, ever heard of them?
1. to reach authentication portals, see http://neverssl.com/
2. to stay alive in countries which outlawed encryption
3. to not break critical infrastructure
4. debugging
5. sending random HTTP traffic between your and waste the time of those who look at it
6. [user] >--HTTP--> [website] is more honest and transparent than [user] >-- HTTPS --> [cdn] >-- HTTP --> [website]
That is not how you do that, for that there is rfc8910 for client side and rfc8952 for provider side.
What's the purpose of this neverssl website? I don't get it.
Do you have real-life examples of such specific sites having been injected with malicious ads and stuff?
Delivering json is fine (provided the average bushwalker has time and know-how to locate its url and download it and open it and make sense of that garbage), but what if it gets injected with crap data?
Yes. About six years ago, when https was not so popular, some small ISP always inserted ads on random http pages.
Json should not be presented to the end user in a plain format, it should be translated by your website.
To prevent injections, you should always enable tls, either for json or deluxe html pages. However, json and simple html pages should perform better in weak networks.
How malicious were these ads?
I know of at least one cell carrier who practiced such trick (in addition to redirecting 404 etc.) but it was never malicious (and, anyway, my basic html browser without images and scripts would not display them)
As long as it is served via TLS (rather than plain HTTP/FTP/whatever low-tech that's not latency and bandwidth-sensitive), it's still the same issue. Corner case, sure, but annoying as f*ck.
N.B. I'm all for encryption everywhere, for plenty of reasons - as long as alternatives are kept available whereby knowledgeable end users need it. Just like I want the choice of disabling/blocking images and scripts and css and cookies and stuff for this or that website, I want the possibility of not needing TLS to access it (be it after hundreds of big red warnings). Quit force-feeding us with your encryption and ads and internet-of-shit at the same time, you stupid paranoid webmasters.
Pavlov Media, who supplies community Internet at NorthPointe Student Apartments in Tucson AZ, used to play this trick:
If a visitor requests
http://www.amazon.com, they would receive a redirect through a third-party domain then to the same product page onhttps://www.amazon.comwith an Amazon affiliate code.There were no HSTS in 2014, so they could do that.
However, they wouldn't interfere if the visitor requests HTTPS from the beginning.
I've been in various hotels where to connect to the Internet (i.e., to have your DHCP'd IP routed), you have to first go to a web page where you accept their terms and conditions, and sometimes enter something like your last name and room # to ensure only guests are connecting. No other protocols (e.g., ssh) will work until you have done this one-time web step.
The problem is, some (most? all?) of those systems don't work if you're trying to connect to an https site as the first site. The "please accept our T&C" never comes up and your browser just gets a could not connect error. I'm not sure why things work this way, but you usually have to go to a plain old http site first, get intercepted, accept T&C, and then after that any http or https works fine.
Seen this in multiple hotel chains, airports, conferences, etc. so apparently it's quite common. Perhaps older tech.
The problem is that in 2021, virtually no site you normally go to is still on http. So neverssl.com provides a simple, memorable destination where you can go.
Personally in the past I just would see where the router was and got to http://172.16.x.x or whatever and the router would always give me the T&C page. But now I know about neverssl. Thanks @ceter !
Ah, yes, I see now, already encountered that
Thanks for the clarification - the goal of neverssl is not so obvious on the first read.
edit: probably the same hotels where you can try and bypass registering/paying by using http-over-dns (or http-over-icmp, or whatever)
I saw an ISP doing this even with https or when connecting to localhost!
https://superuser.com/questions/1093454/how-possibly-could-isp-push-information-to-my-browser-at-any-webpage
Such ISPs should be banned from ever doing business again, and the people behind it should be jailed (forever) .
Oh btw, this one is not even a small ISP, it's Orange S.A, a big French ISP !
ISPs can't do this with https until you install software from them, so they can install root CA certificate on your pc and do MITM attacks without warning from the browser.
Don't install anything from the ISP.
I agree that such ISPs should be banned from doing business again.But until such a situation is called a reality, all we can do is keep ourselves out of such thing.
https://www.reddit.com/r/india/comments/4stmaq/airtel_is_intercepting_internet_connections_on/
This is so wrong
I am 99% certain I saw similar posts to the link I posted even over https...
all ssl for the whole site is way better
use https everywhere. just for searchengines who will drop your entry for "not using https", if you only use it at specific sites.