Recent

Author Topic: [EXAMPLE] HTTPClient test web site valid- not 100% depends on Browser  (Read 4244 times)

Warfley

  • Hero Member
  • *****
  • Posts: 1864
Re: test if web site is valid
« Reply #15 on: January 13, 2025, 10:16:24 pm »
Since the http:// sites are 100% static, there is no need for https.
Except that an attacker can impersonate your website. There are a whole host of attacks that are possible. E.g. an attacker can inject javascript into the website to mine cryptocurrencies with the users browser while they visit your website or more overtly could embedd advertisements to gain money from the people visiting your website. Or an attacker could use the trust the user has into your website and trick people with scams, e.g. advocating for some dubious services or something. A bit more malicious they could provide downloads which contain malware or link to malicious websites etc.

HTTPS is not just encryption, it's also authorization. While DNS certificates are just domain verified, certificate transparency (which is a requirement for CAs to be accepted into the browsers certificate stores) ensures that no two certificates should be issued to the same domain. Additionally you can register a DNSSec entry, with the CA you get your certificate from, to ensure that no corrupted other CA impersonates your website.

Even static websites can be dangerous. I mean your website is quite small so the risk is negligible, but image a news website from a big news organization. News articles are 100% static, yet someone who could just put anything up on such a website, any fake stories, any scams, etc. could seriously do a lot of harm.

Static or not, HTTPS should always be used unless in very specific circumstances (e.g. on calls to localhost, or extremely small local networks), especially as Let's Encrypt makes it completely free

dbannon

  • Hero Member
  • *****
  • Posts: 3215
    • tomboy-ng, a rewrite of the classic Tomboy
Re: test if web site is valid
« Reply #16 on: January 14, 2025, 12:36:15 am »
.....
Static or not, HTTPS should always be used unless in very specific circumstances (e.g. on calls to localhost, or extremely small local networks), especially as Let's Encrypt makes it completely free

While I agree with the general position, there is a real need for people to be able to connect to a 'local' website without security. For example, I have a RasPi managing my solar hotwater service, its on my private subnet and shows me an number of relevant temperatures. Its on my "small local domain" (of course) so, not possible to get a Lets Encrypt cert, they, sensibly want to verify I own the domain. I have two other, similar examples but won't bore you with the details.

If I could get a Lets Encrypt cert, maybe I would but probably not.

The key may be whether its a publicly visible website or not.

Davo



Lazarus 3, Linux (and reluctantly Win10/11, OSX Monterey)
My Project - https://github.com/tomboy-notes/tomboy-ng and my github - https://github.com/davidbannon

Warfley

  • Hero Member
  • *****
  • Posts: 1864
Re: test if web site is valid
« Reply #17 on: January 14, 2025, 12:42:12 am »
Yeah as I said like small local networks, where you know each of the devices in it by heart it's not an issue. If it gets bigger than that, especially if you don't fully trust all the devices (e.g. I don't trust any smart home devices at all) you can use self signed certificates. Just create them locally and add them to your browser and you're fine without any public CA like let's encrypt

dbannon

  • Hero Member
  • *****
  • Posts: 3215
    • tomboy-ng, a rewrite of the classic Tomboy
Re: test if web site is valid
« Reply #18 on: January 14, 2025, 01:08:05 am »
Indeed. I used to run a Certificate Authority for scientific use, because we were not recognized by the browsers, our users, maybe 1000 in AU, had to do just that and they hated it !  I expect (and hope) it has not got any easier.

At present, my Firefox on both laptop and phone are happy to work with http, 18 months ago, for a brief time, they were not. I expect thats what is confusing TRon, there was sufficient complaints that eg Firefox decided to reverse that extra security decision. Maybe only for local subnets ?

Davo
Lazarus 3, Linux (and reluctantly Win10/11, OSX Monterey)
My Project - https://github.com/tomboy-notes/tomboy-ng and my github - https://github.com/davidbannon

Warfley

  • Hero Member
  • *****
  • Posts: 1864
Re: test if web site is valid
« Reply #19 on: January 14, 2025, 01:22:48 am »
Both Mozilla and Google are pretty open about wanting to get rid of the http and https distinction. The reason for this is that people confuse the lock symbol as some form of seal of quality or authenticity, so while the proliferation of free certificates is overall a net good for security online, it had the side effect that it lend legitimacy to scamming websites.

This is why the https lock has been changing over the versions, being like very highlighted in green, even with a text saying "secure" in earlier versions of FF and Chrome, to now being just a very small pictogram, and much more highlight (i.e. red and with text) when it's not HTTPS.

The final step they want to see is to basically don't have any indication for https anymore and just have a warning when there is bare http, and as part of that they recently tried to go into that direction by having the user to explicitly accept wanting to open an http website.

There were some exceptions tho. Localhost always worked (and is also except from CORS enforcement), and I think anything you call without a domain but directly via IP was also excluded. They seemed to have rolled back this change, but from what I know they still intend to go further down this direction.

Thaddy

  • Hero Member
  • *****
  • Posts: 16520
  • Kallstadt seems a good place to evict Trump to.
Re: test if web site is valid
« Reply #20 on: January 14, 2025, 06:51:18 pm »
fwiw, that's why I need to change some of my hosting after 25 yyears, because somebody wants to make money selling certificates, and it did not dawn on them that let's encrypt is free...
But I am sure they don't want the Trumps back...

 

TinyPortal © 2005-2018