

HTTP Considered Unethical - Thrymr
https://alexgaynor.net/2014/oct/06/http-considered-unethical/

======
partkyle
> A student should be able to browse for information on depression without
> their principal knowing it, a dissident should be able to research how to
> avoid national firewalls without their government knowing it, and anyone who
> damn well pleases should be able to read whatever they like without their
> ISP knowing it.

If you just redirect all of the http traffic this isn't entirely helpful to
these people. The original request is sent in clear text and redirected.

~~~
Mandatum
We'd assume they'd be using HTTPS, you can't redirect HTTPS traffic without
serving an invalid certificate which most browsers will warn you of. Or a
forged cert, but that's harder to do.

~~~
chronid
Unfortunately HTTPS is unable to protect you in a school/office setting, or
wherever you use a computer provided to you by someone else. In those cases,
certificates can (and will) be forged very easily.

------
alexbilbie
> "First, TLS doesn't just guarantee confidentiality, it also provides
> authentication and guarantees the integrity of this page. That prevents an
> attacker on the network from serving you bogus content, and pretending like
> it's from me."

But it doesn't though. If (for example) you're using Cloudflare's free SSL
then the SSL termination is at their servers and theres nothing stopping the
them from mangling the page between the original server and them passing it on
to you.

How do you actually know if you're connecting to the server and not some
terminating load balancer and the connection is unencrypted from there to the
server?

~~~
rakoo
You don't because that's how HTTPS is built: the client trusts whatever is
sent its way as long as it's sent with a certificate that matches the domain.

Said differently, the server trusts Cloudflare to distribute the content as
expected, under its own name. This is _technically_ no different than you
trusting a machine to run the correct code and return the correct page,
whether it's at home or at your hosting provider. You as a website owner have
to trust all those components to behave correctly, and Cloudflare is just
another piece of it.

Of course given the easiness with which Cloudflare can intercept the data
(versus your hosting provider running some other code), the threat becomes
palpable, but HTTPS can't give you anything here.

