Hacker News new | past | comments | ask | show | jobs | submit login

> A MITM attack on a static site is definitely possible, maybe even easy, but I'm not going to worry about it unless I have something important to protect.

HTTPS doesn't protect the content of your site from being stolen, it protects your users from hostile third-party content masquerading as yours.




>it protects your users from hostile third-party content masquerading as yours

Exactly. What does anyone lose if my anonymous untrusted blog does something untrustworthy for that one reader who has an infected router?

Should I encrypt messages I write on post cards, because I'm afraid a disgruntled postal worker will write "you suck" on the bottom? The worst case scenario here is temporary vandalism.


The same argument applies to littering. It's only going to harm strangers, and you're unlikely to get caught, so strictly from a cost-benefit perspective it seems like a good idea. But if everyone makes that "rational" decision then we all lose.


The problem is that as a community we want to move to where no traffic is unencrypted so the MITM don't have to be trusted. If your static site wants an exception then your static site is going to be where I get hit.


No, the worst case scenario is that the user gets compromised/infected and becomes part of a botnet that attacks the rest of us.


> HTTPS doesn't protect the content of your site from being stolen, it protects your users from hostile third-party content masquerading as yours.

Hostile third party content is only hostile because the client used to access the content does not take client security seriously.

Food for thought: As an end user consumer visiting random, benign websites, I want my browser to be protecting me against hostiles, rather than relying on website operators to do that for me. Just like I run antivirus on my machines instead of relying on everyone else to run it.


Just make it so that your browser doesn't render any http delivered content. Problem solved. From a client point of view that's the only protection you can do. A MITM over http is undetectable for you. With current OSes and hardware there is no sandboxing which will protect you under all circumstances.

If you do this, site providers are forced to switch to https anyway.


> If you do this, site providers are forced to switch to https anyway.

No, if everyone does this, providers are forced to switch. If you do it, it just means you're cut off from some portion of the web.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: