> We started off with SSL/TLS being used for payments systems and logins ... If it says the certificate for your bank is expired, you need to stop. If it says the certificate for the 10 year old public blog post that was linked by a 5 year old Reddit post as describing the solution to your problem, that should not matter
Non-HTTPS pages can be tampered with to inject any content into them e.g. into a blog post page, you could inject a login form ("sign in via Google to unlock this post"), a donation payment form ("donate for more content like this!"), or malware installers ("your browser is out of date, click to update" banner).
I think pushing to protect non-tech savvy users makes sense here. I see even a lot of developers not understanding risks like the above, so it's a losing battle thinking non-techy users can be educated about it and be cautious enough.
> Non-HTTPS pages can be tampered with to inject any content into them e.g. into a blog post page, you could inject a login form ("sign in via Google to unlock this post"), a donation payment form ("donate for more content like this!"), or malware installers.
Who cares? The blog author could be malicious. The blog might have been sold 5 years ago and now hosts malicious content.
The people getting their money and accounts stolen care. The blog owner cares about the reputational hit. People who care about the success of the web care because it makes the web more risky than people using mobile apps.
So visiting a website is doing a stupid thing? Your recommendation is essentially telling people to stop visiting websites or accept bad things will happen to them. This is not a healthy viewpoint for growing the web.
The stupid behaviors listed above are putting your google password or payment info into a random blog, or running a program it gives you because it says you need to update.
Doing that is stupid whether it's http or valid https or broken https.
Okay, but if a user went to a http version of YouTube and put in your payment info to buy a movie, as opposed to remembering it should take him to an https Google page, I would find that a plausible situation that is hard to blame the user for. Attackers being able to hijack the reputation of sites is problematic.
Youtube does not have 0 reputation. The point of this thread is arguing the merits of requiring sites that don't handle sensitive informationfto use https.
> There is still risk, but this is a form of risk which is not neccessary and can be reduced.
It reduces it a little bit. But if you drop the risk of a random site being malicious by 25% that's not a very important change. The user still has to be wary. That reduction is not worth anything as drastic as blocking the site.
> We are talking about blogs that don't use https because they don't sell things. Expired certificates are out of scope of this comment thread.
I got the impression we were primarily talking about broken https. It's definitely not out of scope entirely:
"If it says the certificate for your bank is expired, you need to stop. If it says the certificate for the 10 year old public blog post that was linked by a 5 year old Reddit post as describing the solution to your problem, that should not matter, and you just want to read the non-secret contents of whatever is on that page regardless of whether the site's maintainer turned on HTTP to HTTPS redirects and then neglected to renew the certificate."
But you can atleast acknowledge that there is a difference between trusting a blog you are actively seeking out and all the entities between you and said blog, right?
Non-HTTPS pages can be tampered with to inject any content into them e.g. into a blog post page, you could inject a login form ("sign in via Google to unlock this post"), a donation payment form ("donate for more content like this!"), or malware installers ("your browser is out of date, click to update" banner).
I think pushing to protect non-tech savvy users makes sense here. I see even a lot of developers not understanding risks like the above, so it's a losing battle thinking non-techy users can be educated about it and be cautious enough.