Tell HN: 6.3% of HN top submissions in plain HTTP, more than half upgradable
The methodology is simple. I gathered all links from https://news.ycombinator.com/front ("past" on the navigation bar) for each day from 2020-01-01 to 2020-07-09. These are the top stories of each day. This is a trivial task and resulted in 17566 links (raw data [0][1][2]). There are <100 duplicates, which I kept. Among these are 1112 plain HTTP links, amounting to ~6.3% out of 17566.
Next I analyzed how many of the 1112 plain HTTP links are available over HTTPS. Methodology:
1. Check if the HTTP version redirects to the HTTPS version; if so, done, otherwise record the HTTP response;
2. Replace http:// with https:// and see if the HTTPS URL works; if so, record the HTTPS response;
3. Compare the HTTP and HTTPS responses. If they're identical, done. If not, compare the length of the responses; if they differ by <=1%, record this as HTTPS response almost identical as HTTP, and assume the HTTPS version works (the page may not use relative URLs or omit the protocol, so the HTTPS response may be subtly different while having the exact same rendered output).
The analysis script is available at [3].
---
To be continued in a comment since I'm hitting the 2000 char limit: https://news.ycombinator.com/item?id=23802522
75 comments
[ 3.3 ms ] story [ 153 ms ] threadResults: out of 1112 plain HTTP links, 642 are available over HTTPS; out of those 642 entries, 143 redirect to HTTPS, 307 serve identical response from the HTTPS version, and 178 serve almost identical response (using the <=1% content length difference criterion); the remaining 14 entries with slightly wider Content-Length gaps tend to be visually identical too upon manual inspection. So we can pretty safely claim that more than half of the submitted plain HTTP links can be HTTPS instead. (We can't be 100% confident without further inspection though, since a page that responds over HTTPS just fine might have mixed content issues that prevent it from working at full capacity.)
Detailed results are available at [4].
By the way, I also tried to match the plain HTTP links against HTTPS Everywhere's rulesets[5], but coverage is rather poor since the rulesets are user-contributed; I only got around ten matches out of the 1112 links.
At the end of the day I can't say this little analysis is in any way useful... Let's just hope more people submit HTTPS when possible. I did notice that certain HN darlings, e.g. pg's blog, are still on plain HTTP without HTTPS counterparts. Also, the "Legal" and "Apply to YC" links in the footer are plain HTTP links; apparently haven't been touched in ages.
[0] https://pastebin.com/raw/qxVjjEyA links.csv.00
[1] https://pastebin.com/raw/3ZWgTJqh links.csv.01
[2] https://pastebin.com/raw/jxRjwfwT links.csv.02
[3] https://pastebin.com/raw/bpsq9DZG analyzer.py
[4] https://pastebin.com/raw/hkzZ0m5f upgradability.csv
[5] https://github.com/EFForg/https-everywhere/tree/master/src/c...
(Sorry about the pastebin.com links. I don't want to have this HN account associated to my real world identity, including my GitHub account and personal sites, so I had to use a non-ephemeral anonymous file host. The raw data file containing all aggregated links is too large for an anonymous paste, so it was split up into three pastes; the data analysis script automatically downloads all of them and assembles them into a single file.)
FWIW, you can tell HTTPS Everywhere to operate in "Encrypt All Sites Eligible" (EASE) mode, which unconditionally attempts to upgrade to HTTPS and errors out (with a prompt) if the connection fails.
* https://www.privateinternetaccess.com/blog/comcast-still-use...
* https://www.eff.org/deeplinks/2014/11/verizon-x-uidh
Edit: Spectrum has apparently used this technique as well[1]. That covers the vast majority of home Internet users in America.
[1]: https://gist.github.com/jzebedee/7c5000779cd131df2498a3e6d04...
MITM tampering might not just be from an ISP. It could be from public wifi, or from an exploited/infected router, or with some care perhaps from another person on the same network/wifi, or from an office, or from an entire country.
[1] https://www.troyhunt.com/heres-why-your-static-website-needs...
0. https://youtu.be/_BNIkw4Ao9w
1. https://citizenlab.ca/2015/04/chinas-great-cannon/
It's common for people to say https is only for shops or site with logins, but if you can modify an http only site that might normally only show plain text articles, you can make it show fake payments, fake logins and malware downloads to steal data.
Usually these old, forgotten or just obscure websites by someone not looking for SEO traffic or customers that some other person stumbled upon are the most interesting submissions.
This will absolutely happen by the end of this decade, and HTTP will be a distant memory.
If you care for HTTP, you need to ensure the contents of any HTTP sites are preserved in some capacity because one day, they will remain inaccessible, even using old software will likely not work at some point.
Edit: how to add an erroneous space because HN was doing something weird with the https link
HN could even do this programmatically when you submit the http link, kicking off the Wayback archive op and substituting the resulting link. This future proofs the thread in case the content disappears later.
Http isn't that bad and if you happen to have an ISP that injects ads you have way bigger problems and probably live in a country so infested with ads you won't even notice the difference anyway.
Most certainly not worth banning http submissions for that.
Someone using those ISPs should probably look into a vpn. I know it feels weird to trust a third party more than your ISP, but if they're injecting ads into your HTTP responses, maybe you should.
Anyway, giving the user the option of using https and even defaulting to it is a good thing. But I don't think non-encrypted protocols are that disastrous if no secrets are being transmitted.
For example; there are certain versions of IE that will throw an insecure content warning if you load https scripts within a http page.
And of course, many older clients don’t (and never will) support newer versions of TLS.
Does IE support 'schemeless URIs'? like:
Why? I get https->http, but why would an upgrade cause a warning?
It will be interesting to see what the results will be like in another year.
https://news.ycombinator.com/from?site=neverssl.com
Was purple.com really that popular of a workaround? I have no idea how I started using it, so now I’m curious how you happened to know about this followup site.
first snapshot, 1998: https://web.archive.org/web/19981212032124/http://www.purple...
later snapshot, 2016: https://web.archive.org/web/20160605121833/http://www.purple...
faq & details of advertising: https://web.archive.org/web/20170608195418/http://www.purple...
And before the sale of purple.com, this was the advertising policy: https://web.archive.org/web/20170702020833/http://www.purple...
Those FAQ pages are beautiful, by the way. Thank you for digging them up. I love the “to make my life simple” answers.
That is not something that one should accept. The whole concept should fall flat in any working market.
About as absurd as getting audio adverts inserted into your phone calls.
"This call has been going on for more than 10 minutes, have a listen to our sponsor".
Maybe that is a thing already?
Except in real life they would begin the call by advertising their own services to you and then allow it to continue...
Not sure if these are still around since the concept doesn't work when almost all traffic is https.
EDIT: The Onion.
Clearly it would never be accepted though.
EDIT: It took way too long for me to find details, sorry.
https://webcache.googleusercontent.com/search?q=cache:JiENVG...
Would you listen to a 15-second advertisement in order to make a free two-minute long-distance phone call?
BroadPoint Communications Inc. of Landover is betting that enough of you would, and is launching its service in Pittsburgh this week with "thousands" of subscribers. A Baltimore rollout could come this summer.
But before you bid good riddance to long-distance bills, be aware that -- surprise -- there are strings attached.
Before using BroadPoint's service, you'll have to register at the company's World Wide Web site and give up personal information, such as household income, number of children and ethnic background.
Once you've sent this information -- which BroadPoint says it will never sell to other companies -- the only thing separating you from unlimited free chat are a few ads, selected specifically for you based on your survey responses. For example, if you told BroadPoint that you have seven young children, don't be shocked to hear a diaper commercial.
I wrote up the details if you want a little more info: https://jrock.us/posts/gmail-and-hsts/
https://hstspreload.org/
It is also not reliant on having permission from a 3rd party to exist, and is fully self contained. Furthermore, because it is self hosted there are several physical machines at different locations which serve as backups and are selected by updating the DNS records, which I believe is incompatible with a basic lets encrypt system.
I understand the drive to push out https for interactive sites, because it is genuinely a bad idea to require users to submit their login credentials over plaintext, and it is possible there are other snooping risks and whatnot, but I really do not see the need for https on many of the simple static sites like mine that make it to hn. The only compelling argument I have seen to force encryption onto everyone is because of ISPs attacking users, but I am solidly in the camp that if you believe your ISP is attacking you you need to use a VPN for all of your traffic, because injecting ads is the least of your worries at that point.
- MITM attacks - Ad/message injection - Malware injection - Censorship
> Furthermore, because it is self hosted there are several physical machines at different locations which serve as backups and are selected by updating the DNS records, which I believe is incompatible with a basic lets encrypt system.
Sure. But it's not that much more harder to do it. Use something like the caddy server and have it manage certificate deployment for you.
Unless there's a client that you intend to serve that absolutely cannot handle SSL/TLS, I cannot see a reason why you'd want to stick with HTTP. And no, I don't consider IE6 as a valid excuse. You can always use an older version of Firefox on Windows 2k and it'll solve this problem. I honestly don't think I can trade all the above for more compatibility with ancient machines.
> but I am solidly in the camp that if you believe your ISP is attacking you you need to use a VPN for all of your traffic, because injecting ads is the least of your worries at that point.
I don't understand this. If your resistance to switch is to make it easy for anyone with any browser to use your web page, then expecting them to use a VPN because they have a terrible ISP because you refuse to use HTTPS makes their life more difficult. Surely, they don't see this problem with other websites that use HTTPS but now need to go get a VPN service just to use yours. Also, we're assuming VPNs are absolute saints here. Not really true. But even if it were true, a VPN is eventually someone else's ISP. You're hoping nothing and absolutely nothing in the routing topology will ever look at your data or bother to inject into it.
There’s nothing incompatible. You just request and update certs on each machine separately, with certbot. No caddy or whatever new hotness of the year required.
At the core it does what the op is proposing, but there's a bit of an extra complexity to deal with edge cases and regressions.