this post was submitted on 13 Jul 2023
55 points (100.0% liked)
Technology
37737 readers
45 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
But why
Because you might want to use HTTPS on a server that's not accessible externally. Some browser features only work over HTTPS.
Sounds like a bad browser.
Good browsers don't let random unauthenticated content to do whatever it wants on neither the local machine or the network.
HTTPS is also the only way to use client-side certificates for strong two-way authentication and zero-trust setups.
So, lynx?
lynx, no-script... it's all fine until some web needs JavaScript yes or yes, which nowadays seem to be most of them, then it's a game of whom to trust.
Private networks are usually an oxymoron, they're only as private as far as the WiFi router or whoever clicks the wrong malicious link go. Zero-trust mitigates that, instead of blindly relying on perimeter defenses and trusting anyone who manages to bypass them.
This is your brain on webshit.
You may want to rephrase that?
Every browser implements these limitations, as they're part of the web platform. Some examples are service workers, web crypto, HTTP/2, webcam, microphone, geolocation, and more. There's a list here: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts
Sounds like a bad browser.
Every browser does this. It's intentional to push people towards using encrypted connections, especially for PII like geolocation.
Sounds dystopian. I still won't feel bad for normies.
So, Chrome, FireFox, Edge, Safari, Opera, every other browser I've ever heard of, are all "bad browsers" in your opinion?
Plenty of non-browser related reasons to want HTTPS in your own network.
If you need it/should use it depends on your system architecture and level of paranoia.
For instance we’re running all our stuff in a virtualized Linux environment on-premise on our own hardware. There’s a firewall zone from the outside and in, several zones for different applications.
We terminate SSL at the edge and use port 80 for anything internal that’s HTTP.
While that opens us up to internal eavesdropping my argument is that anyone that deep in our system will have compromised everything anyways.
On the other hand it allows our firewall to do application filtering, including killing bad (as in faith) incoming requests.
The only caveat to that is that some of our external pen-testers think they’ve found a DOS scenario in our application when all that happens is that the firewall drops the connection.
If I was routing traffic over a shared network or multiple sites I’d definitely employ HTTPS.
All this said, I’m sure someone smarter than me have written better opinions on the topic.
For example, my browser won't auto-fill a credit card without a valid HTTPS connection. And as someone who does QA on payment pages, I find myself typing out the standard VISA test card number
4200 0000 0000 0000[tab]12/34[tab]123about a thousand times a day. Every ten minutes or so I type the wrong number of zeros and have to go back and try again. With a working HTTPS connection, the browser will fill it out for me. So much better.