On 15/01/2022 15:30, Diego Garcia wrote:
> On Sat, 15 Jan 2022 14:25:13 +0000, Rich wrote:
>
>>
>> While you /can/ spend extra $$$$, you certianly do not have to do so:
>>
>> https://en.wikipedia.org/wiki/Let's_Encrypt
>>
>
> Let's Encrypt requires a dedicated IP address.
>
> People, such as myself, who choose to use shared hosting must
> then purchase a dedicated IP address.
>
cant you afford a virtual private server?

> The expense is not significant, but the principle involved certainly
> is significant. Why should Google be permitted to dictate how web sites
> are implemented? Why should google be permitted to act as an ad hoc,
> self-proclaimed web authority?

because it can?

>
> Google also has influenced the removal of FTP capability from web
> browsers, again due to their obsession with security and their desire
> to be the "nanny" of the Internet.
>
> Anyone who uses a browser based on Google's engine is complicit
> in their evil empire.
>
>

Yawn.

--
The theory of Communism may be summed up in one sentence: Abolish all
private property.

Karl Marx

Diego Garcia <dg@chaos.info> wrote:
> On Sat, 15 Jan 2022 16:29:34 +0000, Rich wrote:
>
>>>
>>> Let's Encrypt requires a dedicated IP address.
>>
>> Are you certian of that fact?
>>
>
> It depends on the hosting provider.
>
> My provider requires a static IP for all certs.

So you accused Let's Encrypt of requiring dedicated IP addresses when
in fact it was your web host provider that had the requirement.

It is not at all Let's Encrypt's fault that your web host provider has
additional requirements for certificate usage.

The Natural Philosopher <tnp@invalid.invalid> wrote:
> On 15/01/2022 14:08, Diego Garcia wrote:
>> People who maintain
>> their own web sites, such as myself, are thereby forced to spend extra
>> $$$$ to purchase certs regularly from a cert authority. This is veritable
>> blackmail.
> No, you use the free 'letsencrypt' service. takes almost 5 minutes and
> costs nothing

Except the rest of your life worrying that something might have
gone wrong and prevented the renewal process from working, causing
your site to effectively go down (except to people like me who
usually "accept the risks and continue" when their browser warns
about a certificate error because they know that the info has no
real need to be encrypted/verified in the first place).

Anyway I don't think Google really care. I've got a website that
can be accessed over either HTTP or HTTPS (a choice I wish that
everyone who runs purely information websites would permit), and
Google still happily put HTTP links to it high in their search
results for some not-exceptionally-specific searches.

--
__ __
#_ < |\| |< _#

Markus Heinz <markus.heinz@uni-dortmund.de> wrote:
> On 2022-01-15 17:21 +0000 Diego Garcia wrote:
>> On Sat, 15 Jan 2022 18:06:15 +0100, Markus Heinz wrote:
>> > I think encrypting website traffic with TLS is a good thing as it
>> > makes it at least harder to tamper with or eavesdrop on it.
>>
>> How would an encrypted connection benefit a web site that exists
>> solely to provide information? (Remember the "information
>> superhighway?")
>>
>> Answer: there would be NO benefit. None. Zip. Nada.
>
> A malicious router in the internet which forwards the information from
> the web server to the client's browser could alter the information.
>
> Imagine the contents of a popular weather forecast website might get
> modified in transmission to announce some hurricans when there is no
> meteorological cause to announce this.
> [snip]
>
> Governments and secret services have the possibility and maybe also the
> interest to do those things. Encrypting the traffic with HTTPS / TLS
> makes it harder for them. But still you have to trust the source of
> information of course.

The source, which practically speaking is today usually a server
owned and run by a large company which could be easily forced by
such governments to grant them access to that server and play with
the information from that end.

But I don't mind HTTPS really, I just wish websites would stop
redirecting me too it when I know I don't need it for particular
sites.

--
__ __
#_ < |\| |< _#

On 15/01/2022 23:22, Computer Nerd Kev wrote:
> The Natural Philosopher <tnp@invalid.invalid> wrote:
>> On 15/01/2022 14:08, Diego Garcia wrote:
>>> People who maintain
>>> their own web sites, such as myself, are thereby forced to spend extra
>>> $$$$ to purchase certs regularly from a cert authority. This is veritable
>>> blackmail.
>> No, you use the free 'letsencrypt' service. takes almost 5 minutes and
>> costs nothing
>
> Except the rest of your life worrying that something might have
> gone wrong and prevented the renewal process from working, causing
> your site to effectively go down (except to people like me who
> usually "accept the risks and continue" when their browser warns
> about a certificate error because they know that the info has no
> real need to be encrypted/verified in the first place).
>
One of my machines has its http port disabled most of the time and works
only on https so lets encrypt renewal is a manual process - but since
they email me every time its about to expire, its is just a five minute
job every three months or so.

I think that my main public facing site has been autorenewing happily
for the last 4 years.

I cant see how paying for the service would make the renewal process any
different.

Feel free to enlighten me.

> Anyway I don't think Google really care. I've got a website that
> can be accessed over either HTTP or HTTPS (a choice I wish that
> everyone who runs purely information websites would permit), and
> Google still happily put HTTP links to it high in their search
> results for some not-exceptionally-specific searches.
>
It's less that google care, it's more that many browsers are now set up
to issue dire warnings on non https sites, even those that are one way
providers of public information.

Also many random ratware programs knock on port 80 doors. They seem to
knock less on 443...reduces traffic.

--
Gun Control: The law that ensures that only criminals have guns.

not@telling.you.invalid (Computer Nerd Kev) writes:
> The Natural Philosopher <tnp@invalid.invalid> wrote:
>> On 15/01/2022 14:08, Diego Garcia wrote:
>>> People who maintain their own web sites, such as myself, are thereby
>>> forced to spend extra $$$$ to purchase certs regularly from a cert
>>> authority. This is veritable blackmail.
>> No, you use the free 'letsencrypt' service. takes almost 5 minutes
>> and costs nothing
>
> Except the rest of your life worrying that something might have
> gone wrong and prevented the renewal process from working, causing
> your site to effectively go down (except to people like me who
> usually "accept the risks and continue" when their browser warns
> about a certificate error because they know that the info has no
> real need to be encrypted/verified in the first place).

You could worry about it ineffectually or you could do something about
it. For example:

- letsencrypt certificates are normally renewed by a cronjob. Read your
cron mail and check for errors.

- Certificates have expiry times. Use a network monitor of some kind to
check that expiry of certificates you care about isn’t getting too
close and notify you if they are.

--
https://www.greenend.org.uk/rjk/

On 15/01/2022 23:38, Computer Nerd Kev wrote:
> Markus Heinz <markus.heinz@uni-dortmund.de> wrote:
>> On 2022-01-15 17:21 +0000 Diego Garcia wrote:
>>> On Sat, 15 Jan 2022 18:06:15 +0100, Markus Heinz wrote:
>>>> I think encrypting website traffic with TLS is a good thing as it
>>>> makes it at least harder to tamper with or eavesdrop on it.
>>>
>>> How would an encrypted connection benefit a web site that exists
>>> solely to provide information? (Remember the "information
>>> superhighway?")
>>>
>>> Answer: there would be NO benefit. None. Zip. Nada.
>>
>> A malicious router in the internet which forwards the information from
>> the web server to the client's browser could alter the information.
>>
>> Imagine the contents of a popular weather forecast website might get
>> modified in transmission to announce some hurricans when there is no
>> meteorological cause to announce this.
>> [snip]
>>
>> Governments and secret services have the possibility and maybe also the
>> interest to do those things. Encrypting the traffic with HTTPS / TLS
>> makes it harder for them. But still you have to trust the source of
>> information of course.
>
> The source, which practically speaking is today usually a server
> owned and run by a large company which could be easily forced by
> such governments to grant them access to that server and play with
> the information from that end.
>
> But I don't mind HTTPS really, I just wish websites would stop
> redirecting me too it when I know I don't need it for particular
> sites.
>
I agree with Diego that https is redundant in many cases. Its something
I am glad to have when accessing my banks or share trading companies, or
going shopping
online ... but looking up the weather forecast or reading the papers its
probably overkill.

And it isn't the guvmint you need to worry about, its the cousin of the
sysadsmin at the ISP who tips a switch into promiscuous mode, and
collects a load of free name password pairs to add to his list of 'let's
try these first' crackers...

...I was appalled to see when I visited a well known 'dark office' to
install a cable between two dark offices full of racks, that the wiring
all ran under the corridor floors, which we lifted to reveal about 1000
coloured cables, (not all of them LSOH), running between peoples kit.
Snip, crimp and pop a monitor in some dark corner...

The other issue is that routine encryption probably helps with deep
packet inspection.

The only people now who can deep packet inspect are those that hold the
TLS keys. Which effectively means the guvmint or the organisation you
are connecting to, not the ISP...

I agree with you that I don't really mind, now that I can encrypt my
websites for free.

It really marks a shift in the internet away from providing information
to a way of doing private business.

--
"And if the blind lead the blind, both shall fall into the ditch".

Gospel of St. Mathew 15:14

On 2022-01-15, Computer Nerd Kev <not@telling.you.invalid> wrote:

> But I don't mind HTTPS really, I just wish websites would stop
> redirecting me too it when I know I don't need it for particular
> sites.

This becomes problematic if you're in a hotel and trying to connect
to its wi-fi. If you go to a site that automatically promotes you
to HTTPS, you'll never get picked up by the hotel's captive portal,
which you need to get connected in the first place. That's why the
first place I go is http://neverssl.com - it's an HTTP-only site
designed to work around exactly this problem.

--
/~\ Charlie Gibbs | Microsoft is a dictatorship.
\ / <cgibbs@kltpzyxm.invalid> | Apple is a cult.
X I'm really at ac.dekanfrus | Linux is anarchy.
/ \ if you read it the right way. | Pick your poison.

The Natural Philosopher <tnp@invalid.invalid> wrote:
> On 15/01/2022 23:22, Computer Nerd Kev wrote:
>> The Natural Philosopher <tnp@invalid.invalid> wrote:
>>> On 15/01/2022 14:08, Diego Garcia wrote:
>>>> People who maintain
>>>> their own web sites, such as myself, are thereby forced to spend extra
>>>> $$$$ to purchase certs regularly from a cert authority. This is veritable
>>>> blackmail.
>>> No, you use the free 'letsencrypt' service. takes almost 5 minutes and
>>> costs nothing
>>
>> Except the rest of your life worrying that something might have
>> gone wrong and prevented the renewal process from working, causing
>> your site to effectively go down (except to people like me who
>> usually "accept the risks and continue" when their browser warns
>> about a certificate error because they know that the info has no
>> real need to be encrypted/verified in the first place).
>>
> One of my machines has its http port disabled most of the time and works
> only on https so lets encrypt renewal is a manual process - but since
> they email me every time its about to expire, its is just a five minute
> job every three months or so.
>
> I think that my main public facing site has been autorenewing happily
> for the last 4 years.
>
> I cant see how paying for the service would make the renewal process any
> different.

It wouldn't, hence all the sites with broken certificates that I
still used to encounter even before Let's Encrypt. It's an extra
thing to go wrong either way.

> Also many random ratware programs knock on port 80 doors. They seem to
> knock less on 443...reduces traffic.

Though the encrypted connections which are made require more CPU
time on the server.

--
__ __
#_ < |\| |< _#

Richard Kettlewell <invalid@invalid.invalid> wrote:
> not@telling.you.invalid (Computer Nerd Kev) writes:
>> The Natural Philosopher <tnp@invalid.invalid> wrote:
>>> On 15/01/2022 14:08, Diego Garcia wrote:
>>>> People who maintain their own web sites, such as myself, are thereby
>>>> forced to spend extra $$$$ to purchase certs regularly from a cert
>>>> authority. This is veritable blackmail.
>>> No, you use the free 'letsencrypt' service. takes almost 5 minutes
>>> and costs nothing
>>
>> Except the rest of your life worrying that something might have
>> gone wrong and prevented the renewal process from working, causing
>> your site to effectively go down (except to people like me who
>> usually "accept the risks and continue" when their browser warns
>> about a certificate error because they know that the info has no
>> real need to be encrypted/verified in the first place).
>
> You could worry about it ineffectually or you could do something about
> it. For example:
>
> - letsencrypt certificates are normally renewed by a cronjob. Read your
> cron mail and check for errors.
>
> - Certificates have expiry times. Use a network monitor of some kind to
> check that expiry of certificates you care about isn't getting too
> close and notify you if they are.

True, but the mail provider you use (if not running your own) might
have an outage and the warning email doesn't get delivered, or you
might be on holiday and can't check emails because you don't have
internet access. etc.

All I'm saying is that it's another thing to go wrong, and the
frequent occourance of certificate errors while I look up
low-traffic one man (who may no longer be very interested) show
type websites indicates that it often does.

--
__ __
#_ < |\| |< _#

On 16/01/2022 21:42, Computer Nerd Kev wrote:
> The Natural Philosopher <tnp@invalid.invalid> wrote:
>> On 15/01/2022 23:22, Computer Nerd Kev wrote:
>>> The Natural Philosopher <tnp@invalid.invalid> wrote:
>>>> On 15/01/2022 14:08, Diego Garcia wrote:
>>>>> People who maintain
>>>>> their own web sites, such as myself, are thereby forced to spend extra
>>>>> $$$$ to purchase certs regularly from a cert authority. This is veritable
>>>>> blackmail.
>>>> No, you use the free 'letsencrypt' service. takes almost 5 minutes and
>>>> costs nothing
>>>
>>> Except the rest of your life worrying that something might have
>>> gone wrong and prevented the renewal process from working, causing
>>> your site to effectively go down (except to people like me who
>>> usually "accept the risks and continue" when their browser warns
>>> about a certificate error because they know that the info has no
>>> real need to be encrypted/verified in the first place).
>>>
>> One of my machines has its http port disabled most of the time and works
>> only on https so lets encrypt renewal is a manual process - but since
>> they email me every time its about to expire, its is just a five minute
>> job every three months or so.
>>
>> I think that my main public facing site has been autorenewing happily
>> for the last 4 years.
>>
>> I cant see how paying for the service would make the renewal process any
>> different.
>
> It wouldn't, hence all the sites with broken certificates that I
> still used to encounter even before Let's Encrypt. It's an extra
> thing to go wrong either way.
>
>> Also many random ratware programs knock on port 80 doors. They seem to
>> knock less on 443...reduces traffic.
>
> Though the encrypted connections which are made require more CPU
> time on the server.
>
One presumes so, though how much this is an issue is unknown to me, at
least.

--
Climate Change: Socialism wearing a lab coat.

On Sat, 15 Jan 2022 18:42:45 +0100, Markus Heinz wrote:

>>
>> Answer: there would be NO benefit. None. Zip. Nada.
>
> A malicious router in the internet which forwards the information from
> the web server to the client's browser could alter the information.
>
> Imagine the contents of a popular weather forecast website might get
> modified in transmission to announce some hurricans when there is no
> meteorological cause to announce this.
>

I thank you for your informed response.

But my web site is not a popular weather forecast site nor does it
contain election results or software. It is a web site that provides
practical information to anyone who may be interested. I cannot
imagine why any third party would ever be interested in compromising
the site. Therefore, the use of the HTTPS protocol for access
is simply and totally irrational.

It is an issue of COMMON SENSE. If ones barn contains nothing
of value then there is no need to lock it.

--
Scratch your technical itch:
https://www.linuxfromscratch.org/

Diego Garcia <dg@chaos.info> wrote:
> On Sat, 15 Jan 2022 18:42:45 +0100, Markus Heinz wrote:
>
>>>
>>> Answer: there would be NO benefit. None. Zip. Nada.
>>
>> A malicious router in the internet which forwards the information from
>> the web server to the client's browser could alter the information.
>>
>> Imagine the contents of a popular weather forecast website might get
>> modified in transmission to announce some hurricans when there is no
>> meteorological cause to announce this.
>>
>
> I thank you for your informed response.
>
> But my web site is not a popular weather forecast site nor does it
> contain election results or software. It is a web site that provides
> practical information to anyone who may be interested. I cannot
> imagine why any third party would ever be interested in compromising
> the site. Therefore, the use of the HTTPS protocol for access
> is simply and totally irrational.
>
> It is an issue of COMMON SENSE. If ones barn contains nothing
> of value then there is no need to lock it.

Ok, then how about someone deciding to dox you, and they intercept the
contents of your website, substituting child-porn images, resulting in
local law enforcement arresting you for distribution of child-porn (and
then you having to deal with educating local law enforcement about what
is/is not stored on your site and about how someone can modify the
pages in transit to a viewing browser)?

On Mon, 17 Jan 2022 23:39:18 +0000, Diego Garcia wrote:

> On Sat, 15 Jan 2022 18:42:45 +0100, Markus Heinz wrote:
>
>>>
>>> Answer: there would be NO benefit. None. Zip. Nada.
>>
>> A malicious router in the internet which forwards the information from
>> the web server to the client's browser could alter the information.
>>
>> Imagine the contents of a popular weather forecast website might get
>> modified in transmission to announce some hurricans when there is no
>> meteorological cause to announce this.
>>
>
> I thank you for your informed response.
>
> But my web site is not a popular weather forecast site nor does it
> contain election results or software. It is a web site that provides
> practical information to anyone who may be interested. I cannot
> imagine why any third party would ever be interested in compromising
> the site. Therefore, the use of the HTTPS protocol for access
> is simply and totally irrational.

There are miscreants who like to use other people's internet-connected
computers for "evil" purposes (anything from spam-bombing to DDoS attacks,
and more). A system that has not been adequately secured may be compromised
in one manner or another, to permit (if not root) uncontrolled access.

Even those sites operated by those who "cannot imagine why any third party
would ever be interested in compromising the site" can be compromised for
such tasks.

It is best to take precautions, even if you imagine them to be unnecessary.

As for the "HTTPS everywhere" crowd, I concur that it may be overkill. So
long as you adequately control remote access, you don't /need/ HTTPS for
an information-only site.

>
> It is an issue of COMMON SENSE. If ones barn contains nothing
> of value then there is no need to lock it.

As the drug dealers that use the barn to consummate their deals would like
you to believe.

--
Lew Pitcher
"In Skills, We Trust"

On Mon, 17 Jan 2022 23:48:45 -0000 (UTC), Lew Pitcher wrote:

>
> There are miscreants who like to use other people's internet-connected
> computers for "evil" purposes (anything from spam-bombing to DDoS attacks,
> and more). A system that has not been adequately secured may be compromised
> in one manner or another, to permit (if not root) uncontrolled access.
>
> Even those sites operated by those who "cannot imagine why any third party
> would ever be interested in compromising the site" can be compromised for
> such tasks.
>

OK. I am convinced. It is a simple matter, and not all that expensive, to convert.

But it will take some time and effort.

Before too long I will have my web site converted to HTTPS.

I am an applications programmer and not a network programmer and thus
and I am not aware of all the possibilities for compromise.

--
Scratch your technical itch:
https://www.linuxfromscratch.org/

On Mon, 17 Jan 2022 23:39:18 +0000, Diego Garcia wrote:
> On Sat, 15 Jan 2022 18:42:45 +0100, Markus Heinz wrote:

>>
>
> I thank you for your informed response.
>
> But my web site is not a popular weather forecast site nor does it
> contain election results or software. It is a web site that provides
> practical information to anyone who may be interested. I cannot
> imagine why any third party would ever be interested in compromising
> the site. Therefore, the use of the HTTPS protocol for access
> is simply and totally irrational.
>
> It is an issue of COMMON SENSE. If ones barn contains nothing
> of value then there is no need to lock it.

If some criminal uses your site to crack into another site then you
will be the one who gets free bed and board at the local barbed wire
hotel. Hope you have someone who could pay your bills while at the
barbed wire hotel.

Then there is bail money, lawyer fees and whatnot. Computer will be held
as evidence for a year or more.....

Just not worth the possible suit brought against you for not taking basic
steps to protect your site and damages caused by whatever was on YOUR
system.

Diego Garcia <dg@chaos.info> writes:
> On Sat, 15 Jan 2022 18:42:45 +0100, Markus Heinz wrote:
>>> Answer: there would be NO benefit. None. Zip. Nada.
>>
>> A malicious router in the internet which forwards the information from
>> the web server to the client's browser could alter the information.
>>
>> Imagine the contents of a popular weather forecast website might get
>> modified in transmission to announce some hurricans when there is no
>> meteorological cause to announce this.
>
> I thank you for your informed response.
>
> But my web site is not a popular weather forecast site nor does it
> contain election results or software. It is a web site that provides
> practical information to anyone who may be interested. I cannot
> imagine why any third party would ever be interested in compromising
> the site. Therefore, the use of the HTTPS protocol for access is
> simply and totally irrational.

One real-world motivation is to insert adverts into web pages, in order
to make money. I’ve seen Wikipedia with inserted adverts resulting from
tampering (not with a network-based mechanism, but the point stands). I
guess today inserting a JavaScript-based cryptocurrency miner is a
plausible threat model too.

--
https://www.greenend.org.uk/rjk/

On 17/01/2022 23:48, Lew Pitcher wrote:
> As for the "HTTPS everywhere" crowd, I concur that it may be overkill. So
> long as you adequately control remote access, you don't/need/ HTTPS for
> an information-only site.

Except that many browsers will *no longer connect* to a non https site.
For naive users.

--
Any fool can believe in principles - and most of them do!

On 18/01/2022 01:08, Diego Garcia wrote:
> On Mon, 17 Jan 2022 23:48:45 -0000 (UTC), Lew Pitcher wrote:
>
>>
>> There are miscreants who like to use other people's internet-connected
>> computers for "evil" purposes (anything from spam-bombing to DDoS attacks,
>> and more). A system that has not been adequately secured may be compromised
>> in one manner or another, to permit (if not root) uncontrolled access.
>>
>> Even those sites operated by those who "cannot imagine why any third party
>> would ever be interested in compromising the site" can be compromised for
>> such tasks.
>>
>
> OK. I am convinced. It is a simple matter, and not all that expensive, to convert.

If you are running apache, on linux, its trivial and cost free with
letsencrypt.

>
> But it will take some time and effort.
>
> Before too long I will have my web site converted to HTTPS.
>
> I am an applications programmer and not a network programmer and thus
> and I am not aware of all the possibilities for compromise.
>

--
Any fool can believe in principles - and most of them do!

The Natural Philosopher <tnp@invalid.invalid> writes:
> On 17/01/2022 23:48, Lew Pitcher wrote:
>> As for the "HTTPS everywhere" crowd, I concur that it may be overkill. So
>> long as you adequately control remote access, you don't/need/ HTTPS for
>> an information-only site.
>
> Except that many browsers will *no longer connect* to a non https
> site. For naive users.

Got an example of a such a browser in mind?

--
https://www.greenend.org.uk/rjk/

On 18/01/2022 11:01, Richard Kettlewell wrote:
> The Natural Philosopher <tnp@invalid.invalid> writes:
>> On 17/01/2022 23:48, Lew Pitcher wrote:
>>> As for the "HTTPS everywhere" crowd, I concur that it may be overkill. So
>>> long as you adequately control remote access, you don't/need/ HTTPS for
>>> an information-only site.
>>
>> Except that many browsers will *no longer connect* to a non https
>> site. For naive users.
>
> Got an example of a such a browser in mind?
>
Firefox if 'enable https only' mode is selected.

I have no idea if this is the default. I remember I had to switch it off
some years back.

Also edge safari and shortly in chrome

In short the way the walled garden safe space kindergarten kids want
things these days, that's likely to be a default in a few months

--
“Those who can make you believe absurdities, can make you commit
atrocities.”

― Voltaire, Questions sur les Miracles à M. Claparede, Professeur de
Théologie à Genève, par un Proposant: Ou Extrait de Diverses Lettres de
M. de Voltaire

The Natural Philosopher <tnp@invalid.invalid> writes:
> On 18/01/2022 11:01, Richard Kettlewell wrote:
>> The Natural Philosopher <tnp@invalid.invalid> writes:
>>> On 17/01/2022 23:48, Lew Pitcher wrote:
>>>> As for the "HTTPS everywhere" crowd, I concur that it may be overkill. So
>>>> long as you adequately control remote access, you don't/need/ HTTPS for
>>>> an information-only site.
>>>
>>> Except that many browsers will *no longer connect* to a non https
>>> site. For naive users.
>> Got an example of a such a browser in mind?
>
> Firefox if 'enable https only' mode is selected.
>
> I have no idea if this is the default. I remember I had to switch it
> off some years back.

It isn’t.

> Also edge safari and shortly in chrome

All of Edge, Safari, Chrome and Firefox seem to be happy to visit http:
sites for me.

--
https://www.greenend.org.uk/rjk/

Diego Garcia <dg@chaos.info> wrote:
> On Mon, 17 Jan 2022 23:48:45 -0000 (UTC), Lew Pitcher wrote:
>>
>> There are miscreants who like to use other people's internet-connected
>> computers for "evil" purposes (anything from spam-bombing to DDoS attacks,
>> and more). A system that has not been adequately secured may be compromised
>> in one manner or another, to permit (if not root) uncontrolled access.
>>
>> Even those sites operated by those who "cannot imagine why any third party
>> would ever be interested in compromising the site" can be compromised for
>> such tasks.
>
> OK. I am convinced. It is a simple matter, and not all that expensive, to convert.
>
> But it will take some time and effort.
>
> Before too long I will have my web site converted to HTTPS.
>
> I am an applications programmer and not a network programmer and thus
> and I am not aware of all the possibilities for compromise.

Focus on your applications if you're worried about your site being
hacked in order to be using in spam-bombing, DDoS attacks etc.
What Lew Pitcher wrote there has nothing to do with HTTPS, unless
you're using HTTP to log into some sort of web-based administration
interface.

If the server software, or more likely a CGI program/script that's
on your site, has a security vulnerability that will allow
unauthenticated users to make your server do something malicious,
then that will still be there whether the pages are sent over HTTP
or HTTPS. All HTTPS will do from a server security perspective is
make sure that nobody steals passwords for log-in pages which might
allow access to less-secure parts of your site. If you don't have
any such log-in pages, then it's not preventing anything.

Either way, there's no reason to redirect requests from HTTP to
HTTPS except when someone's accessing those log-in pages
(page-specific HTTPS redirects are easily done with Apache, and
probably other web server software). Doing so simply makes life
difficult for people trying to use old/unmaintained web browsers
and, by extension, devices.

--
__ __
#_ < |\| |< _#

Bit Twister <BitTwister@mouse-potato.com> wrote:
> On Mon, 17 Jan 2022 23:39:18 +0000, Diego Garcia wrote:
>> On Sat, 15 Jan 2022 18:42:45 +0100, Markus Heinz wrote:
>> I thank you for your informed response.
>>
>> But my web site is not a popular weather forecast site nor does it
>> contain election results or software. It is a web site that provides
>> practical information to anyone who may be interested. I cannot
>> imagine why any third party would ever be interested in compromising
>> the site. Therefore, the use of the HTTPS protocol for access
>> is simply and totally irrational.
>>
>> It is an issue of COMMON SENSE. If ones barn contains nothing
>> of value then there is no need to lock it.
>
> If some criminal uses your site to crack into another site then you
> will be the one who gets free bed and board at the local barbed wire
> hotel. Hope you have someone who could pay your bills while at the
> barbed wire hotel.
>
> Then there is bail money, lawyer fees and whatnot. Computer will be held
> as evidence for a year or more.....
>
> Just not worth the possible suit brought against you for not taking basic
> steps to protect your site and damages caused by whatever was on YOUR
> system.

But unless he's using HTTP connections to actually control his web
server, HTTPS is an irrelevent "step". You should be talking about
using SSH instead of Telnet, SFTP instead of FTP, and making sure
there aren't any vulnerabilities in scripts or programs run by the
server that process user input.

--
__ __
#_ < |\| |< _#

On Tue, 18 Jan 2022 21:33:27 +0000, Computer Nerd Kev wrote:

> Diego Garcia <dg@chaos.info> wrote:
>> On Mon, 17 Jan 2022 23:48:45 -0000 (UTC), Lew Pitcher wrote:
>>>
>>> There are miscreants who like to use other people's internet-connected
>>> computers for "evil" purposes (anything from spam-bombing to DDoS attacks,
>>> and more). A system that has not been adequately secured may be compromised
>>> in one manner or another, to permit (if not root) uncontrolled access.
>>>
>>> Even those sites operated by those who "cannot imagine why any third party
>>> would ever be interested in compromising the site" can be compromised for
>>> such tasks.
>>
>> OK. I am convinced. It is a simple matter, and not all that expensive, to convert.
>>
>> But it will take some time and effort.
>>
>> Before too long I will have my web site converted to HTTPS.
>>
>> I am an applications programmer and not a network programmer and thus
>> and I am not aware of all the possibilities for compromise.
>
> Focus on your applications if you're worried about your site being
> hacked in order to be using in spam-bombing, DDoS attacks etc.
> What Lew Pitcher wrote there has nothing to do with HTTPS, unless
> you're using HTTP to log into some sort of web-based administration
> interface.

FWIW, I made no claim that the OP required HTTPS to secure the his site.
What I said was:

>>> As for the "HTTPS everywhere" crowd, I concur that it may be
>>> overkill. So long as you adequately control remote access, you
>>> don't /need/ HTTPS for an information-only site.

[snip]

HTH
--
Lew Pitcher
"In Skills, We Trust"