Ask HN: Why Paul Graham’s Website Isn’t Using HTTPS?
I’ve recently skimmed through the website, essays and found that it doesn’t support valid https certificate ( some yahoo store wildcard certificate ). With portfolio companies like weebly and webflow in list, what makes paul stick to old plain website?
Please don’t answer that it’s not in your top 100 to-do list.
45 comments
[ 2.7 ms ] story [ 112 ms ] threadhttps://www.google.com/search?q=javascript+injection+by+isps
1. Ensuring you are getting the information the website author intends for you to get. i.e. data can’t be manipulated in transit.
2. Ensuring the information you are getting is in fact coming from the domain you are requesting it from.
3. Preventing others between you and the website from seeing the information sent back and forth.
I think you questioned the need for TLS here assuming 3 was the only purpose of TLS?
There are millions of sites without HTTPS that should have it, why specifically his site / blog?
He isn't thinking about starting a account or a bank on his site is he?
Except that you've missed that this is an extra overhead for some people and they don't want to deal with it. (if it ain't broke don't fix it). x.com is popular (because Elon) but there isn't https on there. I don't see anyone complaining except tech folk.
You can also apply this to PG himself, as he actively tells people to directly go to non-https, that shouldn't be an issue for his audience.
It takes less time for you to go to a non-https than it is for him to set HTTPS up and maintain it, if you're so concerned you can mirror his content to a https site.
Actually it should be but they are uneducated.
> if you're so concerned you can mirror his content to a https site.
That is a poor attitude. In a scenario where that fixed things it would only fix them for one person.
Or maybe they are educated and they realise it is a non-issue and not worth the effort to put into.
> That is a poor attitude. In a scenario where that fixed things it would only fix them for one person.
No it isn't, it would benefit anyone who cares about that specific issue, you can host it on a secure webpage if you care so much about it.
If you have enough money, you don't need to promote yourself or impress anyone...
https://outline.com/jBgZ3E
I face this problem in India with mainstream ISP.
https://tech.slashdot.org/story/07/07/25/155200/tool-detects...
https://lauren.vortex.com/archive/000337.html
https://www.forbes.com/sites/markgibbs/2013/05/01/cox-commun...
https://www.mattcutts.com/blog/confirmed-isp-modifies-google...
A site without a cert is basically telling its users "I don't care about you."
As for coffee shops and other public access points, people really need to understand the consequences of what are doing when connecting to any of these. Using HSTS is just an antidote to one particular problem. But when you connect to a hostile AP, many worse things can happen.
There is no absolute protection against compromise, but it would be polite for every web site to implement https and hsts to at least make it harder for visitors to be compromised. It costs them very little.
Maybe the analogy is soap in the bathroom at a coffee shop - most customers will not get cholera if the soap is missing, but is it moral for the shop owners to take the risk when the cost is so low and the downside is so high?
Even though there are buggy WPA2 implementations, in general it's pretty difficult to get in unless a trivial passphrase is used in WPA2-Personal. With WPA2-Enterprise, it depends on the method used, but breaking properly implemented EAP-TLS is really difficult. Your best bet is to look for bugs in routers etc.
But this basically proves my point: if the attacker can get into your network, messing with the output from Paul Graham's HTTP server should be the least of your worries.
The following was written years ago, but it is a lot easier to use https now. http://scripting.com/2014/08/08/myBlogDoesntNeedHttps.html
It requires no effort to stick with HTTP. Yes, it's not rocket science to use HTTPS, but it requires a non-zero amount of time to enable it. He probably has better things to do with his time.
Besides, it's his personal website... He can do whatever he wants with it.
Please do correct me if I'm wrong, but I think a whole lot of trouble can come if you enable running scripts over unsecured connections. From malicious DOM manipulations to exploiting CPU vulnerabilities. All of this of course if you assume the website you're visiting isn't itself doing malicious things :)
This is a good summary of why you should use HTTPS: https://doesmysiteneedhttps.com/