No one can force me to have a secure website!!!
Posted by MintPaw@reddit | programming | View on Reddit | 62 comments
Posted by MintPaw@reddit | programming | View on Reddit | 62 comments
NekuSoul@reddit
While I share some reservations about the roles and power CAs have in the modern web, and the example how to intentionally render HTTPS pointlessly weak is interesting from an educational perspective, the rest of it is a lot to unpack.
To keep it short though, as all these points have been done to death, I'll just leave this here:
https://doesmysiteneedhttps.com/
MarcusOrlyius@reddit
These arguments all make assumptions about the type of site being perfectly legal. Yet governments will demand sites be blocked for all kinds of reasons, from piracy to politics.
There needs to be a discussion about securing websites in a completely anonymous manner, and these arguments never do that. There's always a link in the chain, that removes that anonymity.
Sure, in simple straightforward cases, securing a website is easy, but when you look at it from the opposite end of the spectrum, it's a completely different story.
NekuSoul@reddit
Although at that point CAs, particularly when using Lets Encrypt or similar are probably the least of your worries when you also have to worry about getting a domain name and exposing the server to the public.
MarcusOrlyius@reddit
Well, that's precisely my point. This discussion is always swept under the rug by people claiming how easy it is to set up a secure site for simple straightforward cases.
NekuSoul@reddit
I'm not sure I'm following the logic here. Securing your server isn't disproportionally more difficult in more complex/difficult/anonymomus setups and IMO one of the easier parts, if anything.
MarcusOrlyius@reddit
Really? Then explain the process. Have the discussion instead of trying once again to sweep it under the rug.
NekuSoul@reddit
For most people that would be: https://certbot.eff.org/
Just click what you're currently using and you'll get a pretty simple explanation.
Personally though I use the functionality already built into Nginx Proxy Manager: I enter my domain, provide my API token for that domain, enable HTTPS, done. No terminal, no config files, just a web interface. Renewals done automatically.
MarcusOrlyius@reddit
That's the simple case. The question is, how do you do these things completely anonymously in a way that can't be blocked by centralised organisations?
You say that, but they don't address these issues. If you think otherwise, then explain how. This is what I mean by trying to sweep the discussion under the rug.
NekuSoul@reddit
I think there has been a misunderstanding of my initial argument, which was:
At that point you already have dealt with multiple organisations. Why are we getting hung up talking about CAs, which play the smallest role in hosting a website?
tumes@reddit
I love his videos but also absolutely agree with you. His main gripes seem to be that it’s annoying for him to do, that’s it’s not as helpful or secure as is perceived, and thus that it’s busy work. But, like, it’s a social contract in a sense. It doesn’t protect everyone perfectly and it doesn’t meet everyone’s needs and it can, in instances, be a pain in the ass to complement (though Ngl that is a weak argument, like, ok, impersonating someone should be hard?) but even then… sorting out certs isn’t hard.
All of which is to say, considering that a lot if not most human beings conduct a lot of critical life business on the internet, I figure it it one of the most widely reaching and successful public services ever implemented on earth. So yeah, centering stuff like dev inconvenience feels weird and maybe a little misguided.
cake-day-on-feb-29@reddit
His argument is that this inconvenience is undue, because he is not serving anything sensitive that would require it.
You probably don't have armor plating on your car. Why would you, you're not any sort of targeted individual. Yet for some reason you start getting mail telling you you must have an armored car. You get HOA fines, people stop talking to you, they walk away from you. Whenever anyone looks at you, all they can see is "UNPROTECTED" in red text floating above your head.
Do you spend the tens of thousands of dollars to outfit your car with armored plating, wrecking your fuel economy just to "fit in" and get rid of that scary message?
juhotuho10@reddit
People are lazy. If they aren't half forced to do something, they probably won't do it. I can 100% see many websites that DO handle very sensitive data not having https because they either didn't know they needed to, or were too lazy to do anything about it
Hence the most effective thing to do, that will broadly protect more people is to half force people to use https
it's not perfect, it has many flaws, but it's better than the alternative
cemented-lightbulb@reddit
it doesn't really matter what you serve, a bad actor can still modify the contents of an http request to harm your users or misrepresent you. one could add a malicious donation button, for example, and many shittier ISPs (especially in the global south) will modify websites to include ads. ive thought about exploiting httpv to do something similar on his site before (as a purely academic endeavor not deployed anywhere) just to prove the point
tumes@reddit
Sure, makes sense, but it’s not tens of thousands of dollars. It’s free to a couple of bucks. And giving exceptions is begging for bad actors, he himself knows that he is a good actor, but that doesn’t make the rest of the internet less risky, right?
ptoki@reddit
Small side note:
Civilizations progress when advanced concepts are boxed and simplified for others to use. There is a lot of examples but the simplest is that we got a premade equipment and prepared ingredients for cooking and now anyone can cook. We together allow each other to pick the level of abstraction to do this and we just do it.
I feel that IT is diverging from that trend/convention.
Things arent preboxed for people to use. They are hijacked and closed behind curtains.
Today even professional IT folks have vague idea about ssl, keys, certs, keystores and how it works. web standards stagnated - most of webpages are reimplemented as JS. and so on.
While this guy argues wrong I kinda understand him. The website setup should not be as difficult. Setting up home systems should not be that complex. Hosting home automations should not be that much more complex than 3 or 4 files. And sharing files would not require magical knowledge about nfs or samba.
My point is that those services arent that complex in their nature but they are complex to set up right today, even with all the defaults, prepackaging etc...
zman0900@reddit
The devops people where I work have made https extremely easy. My services only need plain http, whether on VMs or k8s, and they handle the rest with load balancers or k8s gateway API / Traefik. So like 5 people out of the whole company actually have to know and understand this stuff.
nelmaloc@reddit
I think you're mixing different things together. Websites have become JS because it allows you to build on top of preboxed frameworks.
And IT people should know how the PKI works. Else, they're not good IT professionals.
You can just setup a FTP server.
ptoki@reddit
Not really.
Websites became JS because having button and a form does not let you build a website. Make few controls available as standard and 99% of your JS is not needed anymore.
You will be mind blown how few do know how to use PKI, ssl.
You can setup ftp. But how many apps in modern systems work with ftp? Your music player does?
nelmaloc@reddit
True. Nowadays, with CSS dropdown menus and animations, you don't need any JS for making average websites.
All which use the default filepicker, which is the KDE one.
Yes.
ptoki@reddit
I mean windows, android apps. How often they support streaming from ftp?
nelmaloc@reddit
On Windows it seems to work.
Garethp@reddit
My mum can update her website on Wordpress, my dad was able to create a website for his local toolshed organisation. A friend of mine, well into his retirement, is able to share pdfs for an RPG game by uploading them into a shared Google drive for use in an online call in a discord server he set up himself.
I get what you're saying about how doing these things yourself should be easier, but even that's moving forward with containerised systems targeted at self hosting.
Sure, I can buy an air fryer or microwave for my kitchen, but no way in hell am I building one myself. Hell, I'm not even going to try and install a new oven that I bought.
The point of boxed up utensils is that they're easy and accessible to use, not that the knowledge of how they actually do the thing is well known. Hell, ask people how a rice cooker knows when to stop cooking or how a kettle knows to shut off and most people will have no clue.
cake-day-on-feb-29@reddit
She was sold a service.
Sold service, spyware service
Spyware.
None of these things are "i cooked my own food", all of them are "i bought the slop from McDonald's which won't state which meat is used and someone came by later to swab the DNA off my fork. Also the price keeps going up and I don't own any cookware nor do I know how to make or buy or prepare anything, I am beholden to McDonald's and whatever they serve me"
ptoki@reddit
Can your mum or dad set up their own VPN to connect back home from outside world?
Can they really set up the mysql to be a foundation for the wordpress?
Im not expecting you to build an air fryer. But you dont have to use one if you have a pan with oil and stove. In todays IT you only can get fancy, hard to wire airfryer, no pan and stove.
You are missing the point. IT components are too complex and hard to use. Every now and then someone comes and says fuckit and makes something simpler. sqlite is an example of it. You just link a library and write simple code and you get the database created and working. That is my point.
ruiwui@reddit
Aren't consumer services like icloud exactly the preboxed concepts you're talking about?
To me it seems like you're saying it's easy to buy a microwave, then comparing that to the software equivalent of building a microwave
cake-day-on-feb-29@reddit
These are "we make the home-grown options harder, in exchange give us money!"
The iCloud subscription and the scary SSL warnings go hand in hand, you are discouraged from using your own computer in the "wrong" way (as anything other than a blind content-consumption device) and are instead heavily encouraged into buying more cloud storage.
ptoki@reddit
Not really. They are ubereats. They arent pan and pasta in the cupboard.
As for microwaves, they arent really that complex. They are a box, magnetron, transformer and timer. Im not saying you should build one but you could make one from off the shelf components if they would be standard. Or fix one - that is easy enough that a person with instruction and pile of parts could do that.
And thats for microwave, plumbing, stoves are even easier. In usa you can replace the heating element in many stoves literally in minutes.
araujoms@reddit
The worst offender is email. It's getting harder and harder to setup an email server that won't automatically get rejected. I had one, whose only job was to send an email notification to me. Since I controlled both ends, I thought it wouldn't be a problem. It was. After years working without any issue my domain registrar decides to add a DMARC policy meaning that my emails should be silently discarded if they weren't cryptographically signed. So they just disappeared without an error message. It wasn't fun figuring that out. Shortly after fixing that Google decides that it was going to reject unsigned emails regardless of DMARC policy, so I had to set up SPF anyway. Fuck them.
mahreow@reddit
Lol terrible example
It's dead easy to set up a mail server, any monkey could do it. The reason email providers ala google, microsoft, yahoo etc automatically reject emails from new domains is because in 99% of cases it's the right thing to do due to the rampant abuse
ptoki@reddit
Ah, yeah. True!
I hate email subsystem. I have to deal with all this and I KNOW that this is black magic to like 95% of IT pros.
How a normal person is supposed to have Personal mailbox on a personal computer? We have that for paper mails. The IT systems are more and more corporate.
If someone nuked my mailbox a TON of personal accounts would be nuked and restoring them would be impossible (we cant change the email, please create new one", then a random guy who gets my old address will be able to access my stuff.
hdkaoskd@reddit
That's a great reference. The only thing I'd add is not to use Cloudflare as a frontend because the way they self-issue man-in-the-middle certificates is sketchy as fuck.
otac0n@reddit
Sounds like toxic max-security to me.
paperlantern-ai@reddit
I feel like this argument expired around 2016 when Let's Encrypt launched. Before that, yeah, paying $50/yr for a cert on a hobby site felt dumb. Now it's literally
certbotand you're done. The fight was valid ten years ago but the problem got solved and some people just never stopped being mad about it.araujoms@reddit
If you watch the video he goes on specifically about Let's Encrypt. He's not complaining about the cost, but about having to depend on an external authority to be able to have his site available on the public internet.
Uristqwerty@reddit
If someone can MITM, they can intercept the first request with a redirect to a domain they have valid https on. So you would need something like HSTS preload for the security to be more than theatre and a mild inconvenience to attackers.
With IDNA to allow unicode characters, I bet there's a good
/-lookalike, too. Would you trusthttps://example.org⧸index.site? (where ⧸ is a solidus, thus the real domain isxn--orgindex-681f.site, and there might be a plausible-at-a-glance way to disguise the unicode within a subdomain instead, if registrars are fussy about accepting random unicode)A little security is never enough, unless your goal is purely to put up a facade or you're willing to invest in more elaborate, inconvenient setups.
amestrianphilosopher@reddit
Can you explain this theoretical MITM scenario for HTTPS? Doesn’t really make sense to me with my understanding of the handshake process, unless your root CA is compromised or a bad actor injects a custom root CA into your OS.
Uristqwerty@reddit
Start with a http link. Unless browsers have started automatically attempting https first even when the URL says otherwise and in the absence of the site using HSTS to request that behaviour, I believe most sites rely on the web server redirecting http -> https. An attacker could change the redirect to cross domains in addition to protocols, to one fully under their control.
NekuSoul@reddit
In the grand scheme of things it's relatively recent, but Firefox has started doing that by default last year, and Chrome since 2023.
amestrianphilosopher@reddit
Gotcha, so it’s not necessarily a MITM attack in the sense that they can communicate with the actual legitimate upstream server on your behalf and intercept traffic. Just that they can redirect you. My understanding is that you’d typically call that a phishing attack
FunnyAd8847@reddit
Actually, infrastructure-as-code does force you to be secure. SSL, TLS, certificate rotation, security groups, encryption—all automated by the deployment system.
If you treat infrastructure as code (not manual checklist), security becomes default. You don't choose to be secure. The infrastructure automatically configures it correctly.
This is especially powerful for teams using AI code builders. You generate app code fast, but the infrastructure part is automated and hardened by default. Best of both worlds: move fast + stay secure.
Feeling_Ad_2729@reddit
The argument that "I don't need HTTPS because my site has no logins" misses what HTTPS actually does.
Encryption is half of it. The other half is authentication — your users need to know they're talking to your server, not a coffee shop router that decided to inject ads, an ISP doing traffic modification, or a state-level MITM. None of that is hypothetical; ISPs injected ads into HTTP traffic for years, and supercookies were injected via HTTP.
The "but it's just a blog" argument also ignores that even static content can be a vector if someone can modify it in transit. A script tag injected into your "harmless" content page can compromise users.
HTTP is fine in controlled private networks where you can actually verify the path. On the public internet, the assumption of a clean pipe doesn't hold. Browsers warning users about HTTP isn't overreach — it's accurate signaling about what the connection actually guarantees (nothing).
giantsparklerobot@reddit
Yeah the "I don't need HTTPS!" crowd doesn't conceptualize that even your ISP is a hostile actor at this point. When I had Comcast in the rare event I would hit an HTTP site they would inject ads and scripts into the pages. It was absurd.
This is now regular behavior with ISPs. It's not like they were ever really trustworthy but now they're outright hostile on top of being perfidious. While most people likely expect such things from free coffee shop WiFi they're not expecting it from their ISP charging them money every month for the privilege.
Said ISP will also disclaim all responsibility when they inject an ad with malware that infects your system. They're certainly not vetting ads any better than Google which has and does inadvertently serves malware or social engineering. Even the FBI recommends using an ad blocker.
So ISPs injecting ads is not just bad taste but actually dangerous. TLS removes at least one vector of malware infection and at least lets the client know they received the server intended to send without modification.
whinis@reddit
I think the point is that with lets encrypt its not authentication and with the recent ssl proposed changes to limit certificate life to 47 days they stop pretending it is. All the cert says is that you controlled the dns at some point.
As far as the mitm, I had not heard any examples of a non-compromised router doing anything of the sort but being you are connected to it anyways there is many many other attack vectors than mitm some website. ISPs have been caught but https didn't stop them either and they started to hijack dns of unregistered domains to serve ads, but so has the registars. Outside of those no one is mitm your traffic that cant also get a cert for your domain. You have a much greater risk of supply chain attacks which have been happening constantly and https doesn't fix
Feeling_Ad_2729@reddit
You're right that DV certs only prove DNS control — that's the whole design. The chain of trust is: control the DNS = control the domain = cert is a reasonable proxy for "this is the legitimate site." Imperfect but meaningful.
The 47-day proposal actually strengthens this — shorter-lived certs mean a compromised cert has a smaller exposure window. It's about agility, not weakening authentication.
Supply chain point is fair. HTTPS doesn't solve everything. But defense in depth: HTTPS + subresource integrity + CSP layered together makes opportunistic injection significantly harder.
The practical floor remains: browsers flag HTTP as "Not Secure," service workers require HTTPS, and ISP content injection (hotel portals, ad injection) absolutely happens in practice. Not theoretical.
whinis@reddit
I would say that makes it meaningless for authentication. Any DNS attack then gives one a valid certificate, it doesn't authenticate it just says that their DNS and lets encrypt DNS matches for some time during the validity period. It also ignores the variety of state-ran CAs that can just issue them or the various driver CAs which can also generate them.
Except it means it must be automated and moves farther away from authentication. It also means that if your authentication breaks or the service you are using goes down suddenly your site is not accessible. I see no way this strengthens anything in the end.
EntroperZero@reddit
He goes on about how his website doesn't have a place for users to enter a password or a credit card number, but that's only true if the user is actually seeing his website, which, if they're getting it over HTTP, they can't verify. That's kinda the point.
cake-day-on-feb-29@reddit
So let's say you see a link to his website, from Google or reddit or wherever. It says something about breaking computers in the 90s. You click it, and the page loads to a form asking you for your credit card. You put the credit card in, then get upset that a hacker stole your credit card?
Huh?
How does that make any sense whatsoever?
Does that mean if I tell you to reply to my comment with your credit card, you'll do it, because reddit has the https padlock?
EntroperZero@reddit
You're not thinking nearly creatively enough. The page could render something that very plausibly looks like the original site, but perhaps it asks you to register an account. You input your email address and choose a password, perhaps it's the same password that you use on other sites. You've just been pwned.
You're not going to do this, and I'm not going to do this, but there are a lot of users out there with way less knowledge of how computers work.
cake-day-on-feb-29@reddit
HTTPS does nothing to solve this. I could create some blog and host it (with HTTPS), then add an account system and fish for credentials.
EntroperZero@reddit
But you could not host it at tom7.org with a valid certificate without hacking DNS or hacking Tom's web server.
aueioaue@reddit
LOL... I wish I could be in the room with them when this clicks.
NekuSoul@reddit
Or someone simply injects a banner that says "Here's a Book I've written.", "Hey, I've launched a Patroen." or anything like that.
Running a crypto-miner or a small script that adds you to a DDOS botnet while youre on the website is also a possibility. Or just plain ads. The possibillities are endless.
Feeling_Ad_2729@reddit
You're right that DV certs only prove DNS control — that's the whole design. The chain of trust is: if you control the DNS, you control the domain, therefore a cert proving DNS control is a reasonable proxy for "this is the legitimate site." It's not perfect but it's a meaningful signal.
The 47-day proposal actually strengthens this — shorter-lived certs mean a compromised cert has a smaller exposure window. It's about agility, not weakening authentication.
The supply chain point is fair. HTTPS doesn't solve everything and yes, those attacks are more common. But defense in depth: HTTPS + subresource integrity + CSP layered together makes opportunistic injection significantly harder. The alternative isn't "no attacks," it's "easier attacks."
The practical floor argument remains: modern browsers flag HTTP as Not Secure, service workers and several APIs require HTTPS, and content injection (ISP ad injection, hotel portals) absolutely happens in practice. It's not theoretical.
fripletister@reddit
A whole thirty-five minutes just to make a single bad argument?
ChrisRR@reddit
Old man yells at ~~cloud~~ https
MintPaw@reddit (OP)
This resonated with me. With CORS specifically, you can't use SharedArrayBuffer without setting up CORS in a specific way or tweaking the headers, even with a totally static page.
Which, if I understand correctly, means you can't have a multithreaded web app on S3 or other common static storage. You have to rent a box like EC2. Feels like extortion for basic features.
birdbrainswagtrain@reddit
I ran into this when trying to build an embedded Discord activity. Last I checked, before I abandoned that specific iteration of the project, it was functionally impossible to do any kind of multi-threading using their ~~sophisticated iframe technology~~ SDK.
They also require you to run everything through their own proxy, presumably just so you cant see user IP address. I guess that's understandable if they think they have some obligation to protect that information, but it does seem a little insane. I ban people who share IP grabbers in my community, not necessarily for the minor privacy violation, but mostly just because it's cringe.
Part of me gets it. I care about security! I think Tom takes it too far with his war on HTTPS! But there's definitely a point where companies take it too far. If you're so concerned about malware that you lock users out of doing what they want with their own devices, you've lost the plot. I really liked the phrase "compute science traitor" at the end of the video. I'm going to have to steal that.
redimkira@reddit
Logic makes no sense to me. Obviously Chrome doesn't "guess" what your website has, whether it asks for credit card information or allows you to download stuff. If you call it max security toxicity, then why not stick to using IE5 on Windows 95? It will definitely not show you an HTTPS error.
araujoms@reddit
What an amazing video. Love this guy. I'm still bitter that I had to surrender to Let's Encrypt when Firefox started showing a red warning label on my website because it didn't support HTTPS.
R2_SWE2@reddit
Once in a blue moon I stumble across an auth portal without https. That’s always a special kind of fleeing
Klutzy_Pin9611@reddit
My website is so secure that even I can't log in half the time.
ericonr@reddit
Get caddy, put it in front of your stuff, ta-dah you have a public facing secure website.