Hacker News new | past | comments | ask | show | jobs | submit login

This is important. Because the discussion around HTTPS tends to train users into think that HTTPS = Web Security.

I totally agree that it's important, and I understand the attack vectors. But what about your outdated WordPress/Joomla installation? What about your default password on your admin site? Those I think are more serious issues, but of course harder to tackle.

To exploit a MiTM you need to be on the same network, this could be achieved through your local-cafe's WiFi or by compromising an internal system of a local network. Not a trivial task I would say. If you manage to pull it off, the impact is contained to that local network.

If you compromise the insecure site directly, you can have an much wider audience and HTTPS won't help you in this scenario.




> To exploit a MiTM you need to be on the same network, this could be achieved through your local-cafe's WiFi or by compromising an internal system of a local network.

Or, say, your ISP injecting ads and tracking scripts into unencrypted pages your browser requests.


Holy, I forgot about that one! You're totally right and I'm surprised it's not one of the main arguments for this push for HTTPS.


IMO it's really the only compelling argument for HTTPS on sites that don't deal with traffic worth intercepting. Other than that, I agree with you re café Wi-fi, etc: the man-in-the-middle risk is so small and localized that it may as well not exist.


Not only is the coffee shop using an ISP that is likely MITMing you, insecure coffee wifi routers can be exploited at scale to MITM a lot of coffee shops at once.


I think thats why google has been pushing so hard for https, isps were able to do tracking just as well under http, so google wants to shut that door.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: