Is there ever a reason to use http over https?
Is there ever a reason to use http over https?
Gabriel Walker
Other urls found in this thread:
Levi Perez
No
Https has already been cracked by NSA
Aaron Long
No. Maybe to make things easier for the NSA.
Mason Clark
depends on ssl and tls version
John Lewis
For a slight performance boost. You can use it for your static pages I guess
Jack Johnson
Yes, http is free (you see what gets send)
Zachary Allen
Generally thanks to response features that are only enabled over HTTPS, HTTP will be slower than correctly configured HTTPS even for static pages nowadays
Dominic Morgan
Now that we have Lets Encrypt, the only remaining reason to not use TLS has vanished.
Aiden Rivera
http is comfier
Jack Taylor
would love if there was some way to do it in onion-service style when you can address domain by hash of public key thus knowing domain name in advance allows you to check if cert is valid without CA signing infrastructure
Brody Adams
It can be useful during certain testing scenarios.
Gavin Turner
So only https from now on. Thanks for the info.
Henry Gonzalez
>Go to public website that has info I need
>Browser security warning: certificate expired, or some other certificate related shit
>Try http
>Automatically jumps to https, so back to step 2
>Doesn't allow me to add exception
>Sysop asleep with feet on table, so will take a while
>Public website, so no need for this data to be encrypted anyway
Happens more often than it should.
Jacob Cruz
>cracked
No, they have access to resign certs without it being evident. This isn't difficult to do if you're able to pressure a CA into giving you a subordinate CA cert.
Grayson Gomez
The whole PKI thing is foobar. It makes it a little harder for the chinks to see your passwords, but it makes it trivial for the government(s) to monitor you. The CA's have to comply to judicial orders, like any other company. Certificate revoking is broken by design.
Camden Sanchez
Does NSA sell the cracks to hackers?
Easton Roberts
Massive if factual
Isaac Wright
No they just keep their tools on shitty air gapped computers that get owned either through heat distribution or physical access. Aforementioned tools are subsequently leaked.
Jonathan Barnes
on a correctly configured webserver, https is actually faster than http.
also, many of the fancy "new" features of http only work over https.
so you have no excuse to use plaintext http.
James Taylor
Yes... kind of.
For a while at my old university, in order to connect to the wifi, you had to sign in via a web page. The web page would show up whenever you tried to access any other website, but it couldn't show up if you were using HTTPS.
I have no idea how the fuck that worked, but I'm guessing there are some instances of shitty legacy software not working with SSL. In general, however, you should always encrypt everything if you don't have a specific reason not to.
Connor Miller
don't they have a very limited time window to do the attack? (basically the length of the session)
Brayden Clark
When u want to use only one http
Jordan Ross
Probably HSTS.
Basically HSTS lets website owners specify that their site cannot be used if the certs and shit aren't valid.
What happens:
>Your phone tries to navigate to Google.com
>Captive portal captures your traffic and forwards you to a sign in page
>browser sees that cert does not match Google's
>HSTS prevents the page from being shown
Unless the portal website was so shit that it wasn't configured for HTTPS at all and just tried to send back HTTP.
Brayden Moore
HTTPS was never designed to keep the NSA from monitoring the internet.
It does keep some asshole with a SPAN port somewhere from succing up plaintext credentials, or from a skid sitting there at starbucks sniffing everyone not using a VPN.
Benjamin Walker
yes they try to MITM it or some autism shit. cracking it afterhand would take years. that's why they just collect data and hope to break it when someone smarter than them figures out how (and when computers are more powerful, which *looks at intel* isn't going to happen as fast as they think)
Nolan Flores
I think that's what my university's old portal was doing. My solution to that was always to use an HTTP only site to access the portal.
Nathan Harris
This is why alwayshttp.com exists
Cooper Martinez
That's awesome, gonna bookmark that.
Mason Ward
Vintage computers.
Andrew Martinez
that's why you should pass a basic IQ test before posting here
Austin Gray
http.badssl.com
neverssl.com
Sebastian Martinez
It does make one wonder if this is another NSA-driven plan for forced obsolescence as you need to have a fairly modern OS/OpenSSL version to even be able to browse the internet now
Hunter Jenkins
those retards who say HTTPS traffic can be read don't know shit about cryptography
Hudson Wood
Speed? Overhead? Not having to worry about certs? Not having login data?
Hudson Young
Yes, HTTPS/SSL CAs are centralized like domain names and they're owned by (((them))).
Luke Thompson
In days of old, using HTTPS would disable the cache on your browser. The assumption being that if it was important enough to encrypt you probably wouldn't want to keep it about..
I'm not sure if browsers still do this.
Nicholas Cruz
>I'm not sure if browsers still do this.
Haha, no.
Josiah Rivera
pic related is for IE
I think it's browser.cache.disk_cache_ssl in firefox
dunno about chromium
Dylan Ward
what about what gets recv
Jaxon Reed
> java keystore
Lucas Bell
Cloudflare is MITM