1. 15
  1. 4

    As long as HTTP is supported, everything is alright. I guess at some point web browsers will stop processing js served through HTTP, so that the “this site is insecure” icon will lose its meaning and civilized people can get back to plain http for simple static sites (instead to resorting to gopher and whatnot).

    1. 8

      I like the idea of removing JavaScript from plain HTTP. Give us back the Simple Web!

      1. 5

        It seems to me that there is a large portion of the web/browser community that would rather just drop support for HTTP altogether. Hopefully they won’t do that, because IMHO we need simpler protocols and tech, not more complex. Modern trends like HTTP/2, Kubernetes and whatnot are all adding complexity, while practically no new inventions reduce it. Sooner or later it will be impossible to understand how it all works, even dedicated experts will only understand a tiny portion of all the moving parts.

        1. 2

          What does enabling JS have to do with the move from HTTP to HTTPS? HTTPS is about encrypting the requests/responses, not preventing XSS.

          1. 4

            I can’t speak for anyone else, but I’m thinking of events like the one that took down GitHub a few years ago.

            It’s not technically the same scenario, since they injected the scripts through an ad network rather than a MITM attack, but it does match a general rule: allowing third parties to inject arbitrary JavaScript into your web site is no better than running Windows 98 on the public internet. Even if there’s nothing valuable on the computer, the computer itself is valuable enough to hack.

            And everyone should be running an ad blocker, of course. The web really is this era’s equivalent to the DOS-based family of Windows.

            1. 3

              I am a vocal proponent of using HTTP and not using HTTPS for displaying unsecure static data to the world. The increased complexity of HTTPS and its need to depend on third parties are too strong inconveniences for such a basic usage. I argue that my website is a sand castle in the beach, for everyone to look at, and I do not really care if some random visitors (“attackers”, if you want) come and put their name or whatever they want on it.

              The invariable reply to my pleas is that using HTTP can not only be used by others to mis-represent my work (which I do not care about), but that it is actually evil. The reasoning is that some man in the middle can attack the communication channel and inject evil code that will “steal the credit cards” of my readers, and that this theft will be entirely my fault for providing an insecure channel. I find this argument particularly offensive and complete bullshit, but I have heard it so many times that I guess that many people are worried about that. Since you cannot realistically steal credit cards without javascript or some form of scripting, I would be really happy if browsers blocked scripting over http. This will make http great again for personal static sites.

              1. 3

                I’ve legit seen ISPs in certain regions inject ridiculous ads and track the content of HTTP pages people visit.

                1. 3

                  I’m thinking less about stealing the credit cards and more about redirecting traffic to malicious servers which can install malware. https://theintercept.com/2014/03/12/nsa-plans-infect-millions-computers-malware/

            2. 4

              I can kind of sympathize with the author here, but OTOH, I’ve run an HTTP server starting out in the late 90s. It has required attention every 5 years or so at best. The last change I made to it was a couple of years ago to put in Let’s Encrypt certificates. It was a relatively simple change and it has been running fine since then.

              Software connected to “the Internet of Hate, aka The Internet” (tm James Mickens) cannot be entirely static and stable, otherwise it will get hacked, but a simple HTTP Server serving static documents is about as low-risk as you can get, and even the move from HTTP to HTTPS is a fairly simple one that, in my experience, doesn’t need constant attention.

              The complexity comes with running a rich, interactive “Web what are we up to now? dot 0” experience, where you’re letting people interact directly with your precious web server.

              1. 2

                Doesn’t using proxies address this on top of performance and security boost?

                1. 1

                  Using proxies just pushes the problem back one layer; now you need to maintain the proxy’s TLS configuration instead of your web server’s TLS configuration, but it still has to be maintained. Or you outsource maintaining it to Cloudflare. You still can’t walk away from the server entirely and let it keep running quietly.

                  (I’m the author of the linked-to entry.)

                  1. 1

                    “In the era of HTTP, you could have set up a web server in 2000 and it could still be running today, working perfectly well”

                    “And now you have to keep reasonably up to date with web server software, TLS libraries, and TLS configurations on an ongoing basis, because I doubt that the deprecation of everything before TLS 1.2 will be the last such deprecation”

                    This is what I’m addressing. It seemed like folks you talk about wanted these servers to keep running. These diverse and interesting setups. Then, HTTPS’s varying needs gets in the way. So, we rely on a mature proxy whose developers and/or ecosystem handle all that so HTTP or whatever it proxies to keep working without all that work. Then, the rest can keep focusing on the non-HTTPS stuff that sits behind the proxies. There’s existing tools for that.

                    “Another, more relevant side of this is that it’s not going to be possible for people with web servers to just let them sit.”

                    This part remains true. Looking at the big picture, it probably was and always will be true for a lot of things in tech and life. Just due to how our environments change constantly whether offline or online. If anything, we should be pleasantly surprised when something we build still works five years later online without changes. Even more as pace of change and extra complexities increase over time.

                2. 1

                  Heck, FTP is still kicking around! My guess is HTTP hangs on for a while longer, but like ftp may eventually be dropped by browsers and become a bit more specific to certain use-cases.