This is genuinely a huge win for the EFF. While I’m sure haters will point out that the EFF did almost none of the lifting the much much harder problem is coordinating millions of people to focus on a specific goal and the EFF made “HTTPs Everywhere” a thing that got honest to god real mindshare across the whole industry.
Coordination problems like this are capital H hard. It’s why almost all boycotts, petitions, union formations, vote with you feet/wallet don’t go anywhere because it’s trying to herd cats. Encrypting the web became an inevitability because of the EFF’s work.
So sincerely, amazing job to everyone who worked on the initiative. You crazy fools actually did it!
The EFF really makes a contribution to the world way out of size with their budget. The EFF's budget in 2019 was only $10 million dollars. Kudos for them.
>2021 was the year the other major browsers followed suit, starting with Chrome introducing an HTTPS default for navigation when a user types in the name of a URL without specifying insecure HTTP or secure HTTPS.
Is it enabled on Android? Last week a few links on HN resolved to HTTP for me, even though HTTPS was available for those sites (I checked). I noticed it because my provider injects ads in unencrypted traffic.
That's exactly what I meant: clicking on what appeared to be "example.com" directed me to "http://example.com", but maybe those links had explicit "http://" in them indeed, I'm not sure now.
The only relatively mainstream site I can think of that doesn't use https is the Australian Bureau of Meteorology [1]. The weather isn't exactly sensitive info but I don't see any excuse not to just set this up.
I think they should support both and not automatically redirect from http to https.
The comment just above you:
> Admittedly a small problem, but for microcontrollers that don't support https and just want to get some publically available data like weather-- it is an issue. So lots of hobbiest projects are basically turned off because of this.
The web is centralized as it never was before. We have to constantly (every 3 months) renew letsencrypt certificates. They do breaking changes to the tools and protocols to do that with the same periodicity. Now you need this shitty snap to do that. And private networks devices are still an unsolved problem no one talk about...
They claim [1] that they won't be making breaking changes to the protocol, unless absolutely necessary.
Many web servers/reverse proxies such as Caddy and Traefik have build-in ACME handling, so as long as you keep them up to date, your certificates should be correctly renewed. From my experience, configuration of ACME with either of them is a breeze.
I'm not sure why nginx and Apache don't implement this, considering they are the most popular servers.
There is no legitimate reason why you would need to keep all your servers updated all the time just because you want to have your cert continuing working.
On my case, I was annoyed with an old vps for example because impossible to use docker or snap because you need kernels modules that you don't control in such a setup.
I've had several instances of ACME bot deciding to randomly fail behind Cloudflare, so I've switched to using CF Origin certs on a few hosts. It's not ideal, but it works for my public needs. I'm still running PiHole locally with no certs, which I dislike.
Admittedly a small problem, but for microcontrollers that don't support https and just want to get some publically available data like weather-- it is an issue. So lots of hobbiest projects are basically turned off because of this.
21 comments
[ 4.8 ms ] story [ 44.1 ms ] threadCoordination problems like this are capital H hard. It’s why almost all boycotts, petitions, union formations, vote with you feet/wallet don’t go anywhere because it’s trying to herd cats. Encrypting the web became an inevitability because of the EFF’s work.
So sincerely, amazing job to everyone who worked on the initiative. You crazy fools actually did it!
https://apps.irs.gov/pub/epostcard/cor/043091431_202006_990_...
Is it enabled on Android? Last week a few links on HN resolved to HTTP for me, even though HTTPS was available for those sites (I checked). I noticed it because my provider injects ads in unencrypted traffic.
[1] https://www.bom.gov.au/
The comment just above you:
> Admittedly a small problem, but for microcontrollers that don't support https and just want to get some publically available data like weather-- it is an issue. So lots of hobbiest projects are basically turned off because of this.
The web is centralized as it never was before. We have to constantly (every 3 months) renew letsencrypt certificates. They do breaking changes to the tools and protocols to do that with the same periodicity. Now you need this shitty snap to do that. And private networks devices are still an unsolved problem no one talk about...
Many web servers/reverse proxies such as Caddy and Traefik have build-in ACME handling, so as long as you keep them up to date, your certificates should be correctly renewed. From my experience, configuration of ACME with either of them is a breeze.
I'm not sure why nginx and Apache don't implement this, considering they are the most popular servers.
[1] https://letsencrypt.org/docs/acme-protocol-updates/
On my case, I was annoyed with an old vps for example because impossible to use docker or snap because you need kernels modules that you don't control in such a setup.
Chrome/Firefox support this without an issue.
ZeroSSL.com (Aka Comodo), BuyPass.com, SSL.com
All offer 90 days or more free SSL certs
https://news.ycombinator.com/from?site=https.dev
its last snapshot:
https://web.archive.org/web/20210126194059/https://docs.http...
source: https://github.com/https-dev/docs/blob/master/list-of-acme-s...
[1] http://www.paulgraham.com/