this post was submitted on 17 Jun 2024
306 points (98.1% liked)
linuxmemes
21263 readers
972 users here now
Hint: :q!
Sister communities:
- LemmyMemes: Memes
- LemmyShitpost: Anything and everything goes.
- RISA: Star Trek memes and shitposts
Community rules (click to expand)
1. Follow the site-wide rules
- Instance-wide TOS: https://legal.lemmy.world/tos/
- Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html
2. Be civil
- Understand the difference between a joke and an insult.
- Do not harrass or attack members of the community for any reason.
- Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
- Bigotry will not be tolerated.
- These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
3. Post Linux-related content
- Including Unix and BSD.
- Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of
sudo
in Windows. - No porn. Even if you watch it on a Linux machine.
4. No recent reposts
- Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.
Please report posts and comments that break these rules!
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Yes, everything needs to be https. https prevents tapering with traffic.
You think your data is secure with HTTPS? There's always an undisclosed vulnerability somewhere.
Patches solve specific issues but they do nothing for overall security.
I don't think there is any vulnerability in https. There are know limitations but https itself is fine. If you are talking about TLS vulnerabilities then we have much more to worry about. To compromise the content on a page someone would have to brute force TLS very fast which isn't feasible with today's computer. Today's computer would take at least a few million years. But I have scene estimates that say long past the heat death of the universe.
Even if https was full of holes it still would be better than http. Http has zero tamper protections or encryption. Companies like AT&T used to tamper with traffic to various purposes and it was feasible for them to do so.
And these days we're on v1.3 - https://www.cloudflare.com/learning/ssl/why-use-tls-1.3/
Notice anything? There's always a flaw. The general public hasn't discovered it in TLS1.3.....yet
And again, Banking websites, some stuff makes a lot of sense to use encryption.
Just not everywhere.
TLS could be the most flawed system on Earth and it would still be better than no TLS. Plain traffic is just that, plain. I can do whatever I want to your web browser as I can arbitrarily change the contents of websites. I can make a page be full of ads or do more malicious things such as replacing a page with a phishing site or running something like beef which allows me to have full control of a browser and to pull all information. I could also exploit any vulnerabilities in the browser to do privilege escalation although to be fair major security CVEs are rare.
This is literally a community about privacy. I don't understand why you wouldn't want https. It works out of the box and it is implemented pretty much everywhere. If a site doesn't use it that site isn't really worth using as it take very little time to setup with Let's encrypt.
Stop spreading bullshit!
Oh look, we've found a security 'researcher'. Mad that your job only consists of making other people's job harder?
Try the DMV, that's also a great place to work where you can inflict misery on others.
Valuable zero days aren't exposed. They're sold. If someone wants your data they will get it. HTTPS means nothing except huge amounts of wasted CPU cycles and energy.
You're simply dumb.
Once again you seem to be calling for not bothering with any security effort of there's even a remote chance of some other vulnerability happening.
The whole point of security is that it's always a multi-layered thing. Nobody sane is pretending that encrypting web traffic with HTTPS is a panacea that's going to solve all your data security needs. But it is sure as hell a million times better than having all of your data transmitted in the clear, with absolutely no assurance that you're are talking to the system you think you're talking to, or that the data hasn't been tampered with in transit.
And don't pretend https is a huge burden. It's dead simple to get SSL/TLS certs, and the additional load of encrypting and decrypting the traffic is barely even a rounding error on modern CPUs.