Http is bad (more than i thought :3)

Look! let’s be clear we all know that http is bad & we all must use https such as https everywhere addon so it just i’m shocked about how much data i got from http i mean already know about i can get login info from http websites but no i got other data such as cookies, my user agent, my screen size & probably more but i did not notice so yeah after this i wont even use http at all :3

THE VIDEO Uploaded on mastodon so do not worry…

1 Like

Technically, HTTPS is HTTP + TLS. So you still use HTTP if you use HTTPS. A more correct message would be “We should use encrypted communication protocols as much as possible” since other protocols like FTP are also in cleartext while not being related to HTTP.

Then, HTTP only (= cleartext) is not always dangerous. For example, if you run a service on your localhost (on the same machine) and access it via a client on your localhost, there is no need to use HTTPS. The same is true for LANs in some cases.

Moreover, HTTPS doesn’t mean that it is secure since you can use SSL 2.0 or 3.0 for HTTPS. Both protocols are broken and insecure. See also https://infosec-handbook.eu/blog/web-security-myths/#m3.

Finally, HTTPS is a little bit overkill for several use cases. For instance, if you enter a website that shows the same public content for everybody, there is – in theory – no need to encrypt traffic. However, you likely want to know if this cleartext traffic is still the same traffic as sent by the server. This is about integrity and authenticity. There is a internet draft “Signing HTTP Messages” addressing this: https://datatracker.ietf.org/doc/draft-cavage-http-signatures/

In summary, HTTPS doesn’t solve all problems and it is less about “always use HTTPS instead of HTTP” but about “use encrypted communication protocols and ensure that they use state-of-the-art algorithms”.

Note that HTTPS and most other encrypted communication protocols only secure network traffic between to points. Their purpose is to protect data in transit. They can’t protect data at rest (e.g., data stored in databases), or data in use (e.g., data that is currently in a server’s memory).

2 Likes

good expiation :clap::clap: