32 comments

[ 2.8 ms ] story [ 77.6 ms ] thread
When I see articles about security related topics I immediately expect them to be served over HTTPS and get frustrated when they are not.

It makes me think if HN should perhaps make a stand and either display some sort of lock icon next to secure links or make it harder for insecure links to show in the front page. Where is the right place to discuss this?

(comment deleted)
Why do you need https for text only page? Sure, somebody could do deep packet inspection, but they would not find anything they couldn't find going to the domain (that won't be hidden by https anyway) directly.

EDIT: previously incorrectly stated 'url' instead of 'domain'.

For integrity, ie. tamper-resistance and knowing if MitM tampering was done.
What's the end game for our hypothetical man in the middle? To edit the article to be subtly incorrect, so you'll misunderstand how Tor works?
Redirect to another website, push malware, show shock material, exploit a vulnerability in your browser.
All of those can be performed by an url shortening service or advertising or a compromised website (wordpress comes to mind) or ... etc.

/* insert ascii goatse here */

Spy on our country's citizens with deep packet inspection and put anyone on a list that reads anything related to Tor. With HTTPS, the visit of this website would seem 'innocent'.
It's a domain known to host Tor-related content, and HTTPS doesn't hide that you're connecting to it.
This. HTTPS hides the details of your requests to sites you visit, but it doesn't hide the actual sites themselves.
That's one possibility -- to misinform or give incorrect instructions. This may be more of a risk with this type of content than your run-of-the-mill personal blog.

A more frequent one is injection of ads or tracking scripts, or 'web accelerators' that recompress images. Certain ISPs have been known to do these.

Given that this is a Tor article, let's talk about it. Tor exit nodes are a super easy place to perform snooping and injection on non-encrypted requests passing through that boundary. This has been used for simple snooping as well as demonstrated cache poisoning attacks that let the snooper inject JS into later https site requests like banks to exfiltrate passwords.
I don't know what is on a page until I visit it, so to make a stand myself in favor of a less insecure internet, I use HTTPS Everywhere in strict mode, which blocks HTTP. I have found that mostly I can live with it, and wish for the community (HN audience is a good part of it) to keep pushing (through a bit of pressure perhaps) towards an HTTPS only internet.
The problem with this is that it makes it very difficult to do network/isp level caching, this is especially problematic in areas where internet connectivity is slow, expensive, and limited.
It would be nice if https had a signature only mode so ISPs could cache but not meddle with the contents.
Javascript inserted that injects fake flash/ms/java update... fake redirect to a login page to capture credentials... the list goes on.
But URLs are encrypted as it's the TCP connection that's encrypted, isn't it?!
Yes, snoopers can only see the domain you visit (not the full url). (although they can make good educated guesses based on file sizes)
> that won't be hidden by https anyway

The only thing that's not hidden are the domain names in the certificate that the server presents.

The rest of the URL is encrypted, along with all data and headers.

Assuming the server uses SNI, the domain name requested by the client is also sent in plaintext. Also, it's exposed anyway in DNS queries.
There are several reasons you want this, relating to security, privacy and “politics” (in the wider sense).

Regarding security, using HTTPS (along with the right measures on externally-hosted content) guarantees (to some extend) that what the users gets is what you meant to publish: an hostile network cannot replace the content with misinformation and cannot inject JS -- to exploit the client or not (as was done with the “Great Cannon” [0] which took down Github).

Privacy-wise, a number of countries routinely spy on their communication infrastructure, and revealing “I visited this website” is far more problematic than “I visited this Tor-related post on this website, and left this comment”.

The last reason for systematic HTTPS is “political”: if we go towards a situation where HTTPS is systematically employed, HTTP-only website will be subjected to increasing amounts of social pressure as adoption rates grow: deploying HTTPS (and preferably best-practices) on your “text-only” website pushes other websites (that might “need” it more) to deploy it too.

[0]: https://citizenlab.org/2015/04/chinas-great-cannon/

It would also be useful to point out limitations and vulnerabilities. Tor browser has no protection against malware that hits the Internet directly, bypassing Tor circuits. But Tor Project does not prominently warn users about that on its website. While Tor Project does acknowledge Tor's vulnerability to global adversaries, there's also no prominent warning about that. If you run Tor in a terminal, you see "This is experimental software. Do not rely on it for strong anonymity." But how many users will ever see that warning?
Even worse is that javascript is default enabled, making the security as strong as the Firefox sandbox.
That's FUD and untrue.

The first thing you see in Tor Browser is a tab explaining that you got properly connected to Tor, but that Tor in itself is not a complete solution to online privacy and suggests you follow a link to an informative document written by the Tor Project.

Remember that Tor anonymizes the origin of your traffic, and it encrypts everything inside the Tor network, but it can't encrypt your traffic between the Tor network and its final destination. If you are communicating sensitive information, you should use as much care as you would on the normal scary Internet — use HTTPS or other end-to-end encryption and authentication.

https://www.torproject.org/projects/torbrowser.html.en