Hacker News new | comments | show | ask | jobs | submit login

Given the spread of mobile browsing in the wider sense it's unreasonable to assume that the majority of users surf through a vpn. So which alternative do you provide to the users of a js-only site?

My point is, that this should be a concern for the developer of an application and not being pushed onto the "dumb user". I'm sure that there are better answers than three letter acronyms.

Mobile phones have VPN clients now built into the system. It was much easier to get Android (old one, 2.x but it was possible even in 1.6) to connect to L2TP/IPSec VPN than Ubuntu.

It's unreasonable to assume that majority of users surf through a VPN because no one bothers, not because of any technical difficulties. But it's also unreasonable that majority of users will surf with js disabled by default.

In general, there's very little a developer can do against a hostile network if their users are clueless. Even SSL is only useful as long as the network operator doesn't deSSLify the connection on the fly or the user catches that.

deSSLify the connection on the fly

How is this possible?

Intercept HTTP requests that the target site tries to redirect to HTTPS. Then proxy the HTTPS connection. If the user doesn't notice that the lock icon is missing from the URL bar, then they're being effectively MITM'd (and anyone on the WiFi can see all their traffic).


  1. Alice enters "paypal.com" into her browser.
  2. Alice's browser issues a request to http://paypal.com/
  3. Mallory intercepts this request, and replays it.
  4. http://paypal.com redirects to https://www.paypal.com/
  5. Mallory's proxy fetches the Paypal content and returns it to Alice
  6. Alice sees "http://www.paypal.com/... in her URL bar without the green lock, but doesn't notice.
  7. Alice enters her password.
  8. Mallory steals all her money.
A response to this attack is the "HTTP Strict Transport Security" extension implemented by modern browsers, which, for sites that enable it, prevents the browser from ever even attempting a non-encrypted connection to the site, and also prohibits bypassing the SSL certificate warning page if an unknown/invalid certificate is presented by a MITM attacker.

I guess I'm one of the few people who always enter complete URLs, e.g. I would enter https://www.paypal.com, when I go to a site that I want SSL on.

I also do check that the lock is on, or for a site like a bank or paypal, that the address bar is green.

Do you want a cookie or something?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact