Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Apple did something similar in 2015:

CVE-2015-3774

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3774

https://lists.apple.com/archives/security-announce/2015/Aug/...

You had to three-finger press to trigger it, though. Similarly, it used unencrypted HTTP. I reported it and it was fixed to use TLS.

The dev defending this unencrypted behavior is really wild, though.





Most Chinese sites do not use HTTPS. In fact, TLS 1.3 traffic seems to be completely blocked within China's internet.[1] The decision to use plain HTTP is only strange from a Western viewpoint. Note: I am not defending this behavior. I still remember the era of ISPs injecting content into webpages. But it's important to keep in mind our subset of the world does not reflect the rest of the world.

[1] https://news.ycombinator.com/item?id=24093932

reply


It does reflect the rest of the world; China is the extreme outlier here.

Also, accessing GitHub from within mainland China works, so TLS is not completely banned.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: