2019

>Anyone who understands security is FBI

What difference does it make? They're equally public.

>not using httpseverywhere

redpill or I'll bump this forever

>What difference does it make? They're equally public.
What? One you can read his posts with ease if intercepted, one you can't.

it encrypts the traffic between you and Jow Forums.org so your neighbor eavesdropping on your wifi can't see that you're browsing /h/

>gif in 1+2018 for anything more than simple animations

Attached: laugh.webm (700x284, 166K)

it doesn't hide the domain, just the pages you visit on that domain (so a eavesdropper can tell if you're on a redboard or blueboard)

>pages
as in foo.org/bar, not foo.org?

foo is not encrypted (because routers on the network need to know where to send your requests) but the path bar is encrypted along with most of the other stuff that matters.

get https everywhere extension and the problem goes away

eavesdroppers know that you're on foo.org but not on the "bar" page. an eavesdropper would know of a blueboard vs redboard because 4channel/Jow Forums

are my posts encrypted?

yes, all that can be found out it's an access to 4channel.org, but not what it is. eavesdroppers can't tell the difference between clicking a link, a thread autoupdating, making a post, etc

based

this

I use it, but this is the only website that I regularly visit that doesn't force https by default.

werks on my machine

>gif in 1+2018
Ew

gifs are unbeatable for what they're meant to be used for: small, short animations

Attached: 1557568872764.gif (678x422, 55K)

the absolute state of Jow Forums.
this piece of shit is dead

I've used it for a long time but I sometimes wonder how it works on sites that don't have an ssl certificate configured or even an httpd running on port 443. Obviously there aren't many of those these days now that let's encrypt is a thing, but does httpseverywhere actually offer any more security on those kind of sites?

God, this burger is delicious. Than you, faggot, now I'm hungry.

i'm sorry did you say 11 minute short film gif

Attached: elephantsdream.gif (35x19, 3.17M)

Who exactly is going to be intercepting it?

ISP or whoever controls the internet (eg. you’re using a guest network at uni, work, airport, etc.). It stops their curiosity.

it’s to protect from mitm attacks not the fbi

Attached: 2DAD3319-7D84-45B7-A7E7-5505A318B43C.jpg (498x400, 37K)

https is a joke, you need one CA out of hundreds to agree to forge cert for you and you can mitm any connection. It was designed to be exploited.

it's a honeypot, 4chancellors will be rounded up in fema concentration camps when Oprah Winfrey wins the election

why not help new people learn. i mean some of us haven’t had the privilege for an education.

Not if the domain owner sets CAA properly.

what are you going to do bring a gpu farm to starbucks with you. ssl keys can be cracked but i think it takes a while

>A set of CAA records describes only current grants of authority to issue certificates for the corresponding DNS domain. Since a certificate is typically valid for at least a year, it is possible that a certificate that is not conformant with the CAA records currently published was conformant with the CAA records published at the time that the certificate was issued. Relying Applications MUST NOT use CAA records as part of certificate validation.
>Relying Applications MUST NOT use CAA records as part of certificate validation.

Please user adults are talking.

>what is ssh
i don't give a shit retard, I'm not setting https myself. Https just means encrypted in the way so wireshark niggers don't get your packages
I don't give a fuck about your cucked unmaintained pages with expired certificates

>I don't give a fuck about your cucked unmaintained pages with expired certificates
what the fuck are you talking about

fuck https
I am not going to buy more expensive VPS to handle encryption load during traffic bursts

retard

I didn't really honestly anything else.

just at least google terms first

You google terms first. Mitm has nothing with expired unmaintained certs and can be dome for any domain.

Are people at Jow Forums of all boards arguing that encryption and certification is useless? Wtf is wrong with you all?

It's implemented poorly that makes it easily exploitable in HTTPS. No one is making a statement that it is generally useless.

it is not useless but it is cpu expensive and protects you only against hackers and thieves
most governments and secret services can obtain your certificate from CA without you knowing anything

The certificate is publicly available...

>forcing HTTPS

Attached: 1475660230256.gif (369x500, 560K)

But it's still better than not having anything at all. That's like arguing that your house shouldn't have a door lock because it's not the best one and the government probably has a master key to unlock it

they can get duplicate (remission) certificate from CA to decrypt your traffic

It's better in some cases but throwing a tantrum because this slightly better option is not forced on users is inane.

The thing that's needed to decrypt traffic is a private key and that is not stored in certificates.

I wouldn't go as far as throwing a tantrum because Jow Forums doesn't have authentication(I would if it did have it though), but I still don't see the point of arguing against it, the user wouldn't be really effected by this and might benefit from protection against website spoofing attacks and other vulnerabilities

are you gonna ssh into a super computer? are you gonna store the encrypted traffic and decrypt it with a ssl key. how are you going to get this ssl. oh your not haha nigger ssl is secure

Placebo for normies

I'm not arguing against having it. Check out the OP, the discussion is somewhat different from what you think it is.

I am going to mitm and send the forged certificate that has my own public key inside instead of the site's original certificate. And the browser will eat it and love it.

>35x19

That only works on older ssl certs with poor implementations. I'm still not seeing an actual argument against it being forced on every site

>That only works on older ssl certs with poor implementations.
What, mitm? It works everywhere. Browser won't even see the original cert.

>I'm still not seeing an actual argument against it being forced on every site
I'll give you one: some countries have this retarded system where the state has the right to ban certain URLs. ISPs can't check for URL in HTTPS traffic and are forced to block every site on the same IP address. With HTTP, they can and you can still browse sites normally.

You're supposed to generate your own key and only give the CSR to the CA. I sure hope you're not dumb enough to actually use keys provided by others.

n-gate.com/software/2017/07/12/0/

>he doesn't know that SSL has been deprecated for decades

Except Jow Forums is already a honeypot. It doesn't matter if you encrypt or not. You'll just block script kiddies an ISP

You are supposed not to put sensible data here user. btfo if you do.

>thinks he can willy-nilly replace certificates
How are you gonna get past DNS SubjectAltNames?
>ISPs can't check for URL in HTTPS traffic
>what is SNI

>It doesn't matter if you encrypt or not. You'll just block script kiddies an ISP
>You'll just block script kiddies an ISP
How does that not matter, retard? Blocking them is better than nothing.

haha this retard doesnt actually know how https works. quit shitposting retard and read a book or somethig.

This isn't Jow Forums and https is always forced, bot.

Typical fare for the entire site now.

Attached: spam bots attack.png (641x218, 25K)