Here's another good reason to encrypt everything. With letsencrypt.org coming online soon, maybe browsers can start providing warnings to users that try to download files from regular HTTP connections; though that wouldn't prevent this problem if the originating website itself is nefarious.
It'll take a while, but this does remove the last excuse sites might have for not encrypting everything.
I'm hopeful that in the next decade any use of unencrypted HTTP will become suspect, such that browsers can start showing unencrypted HTTP as explicitly insecure, rather than just as the absence of signs of security. But it'll take many years to get to that point.
Doing some testing of my own using BDFProxy opened my eyes as to what large sites are using http vs https for downloading files. If your primary reason for existing is providing binaries for download, you have no excuse for serving them up over http. I'm looking at you SourceForge.
4 comments
[ 0.21 ms ] story [ 22.3 ms ] threadI'm hopeful that in the next decade any use of unencrypted HTTP will become suspect, such that browsers can start showing unencrypted HTTP as explicitly insecure, rather than just as the absence of signs of security. But it'll take many years to get to that point.