Are there any reasons for a government website to not support https in 2021?

Home Forums Science & tech Are there any reasons for a government website to not support https in 2021?

Viewing 16 reply threads
  • Author
    Posts
    • #122379
      Anonymous
      Guest

      Are there any decent reasons for a government website to not support https in 2021 or is it just incompetence?

    • #122381
      Anonymous
      Guest

      there are no decent reasons for any website to not support https in 2012.

    • #122383
      Anonymous
      Guest

      Are there any decent reasons for a bureau of meteorology site to encrypt your connection?

      • #122392
        Anonymous
        Guest

        imagine getting a MTIM’d weather forecast

        • #122403
          Anonymous
          Guest

          It’s a good thing that nothing in Australia is important

      • #122394
        Anonymous
        Guest

        This. HTTPS is bloat.

      • #122395
        Anonymous
        Guest

        Science is public.

        This. HTTPS is bloat.

        because if everything is encrypted (and there’s no good reason for it not to be) then the things that do need encryption won’t stand out.

        • #122396
          Anonymous
          Guest

          Why would it matter if they stood out?

          • #122398
            Anonymous
            Guest

            So that that traffic that """needs""" encryption can be more closely monitored.

            Also to

            Science is public.

            ‘s point, just because the information is publicly-accessible doesn’t mean it doesn’t """need""" encryption. Why should anyone else get to know that I looked up the weather?

            • #122399
              Anonymous
              Guest

              Why does it matter if they monitor the traffic if it’s encrypted?

              • #122400
                Anonymous
                Guest

                If encryption makes monitoring irrelevant, when why shouldn’t all web traffic be encrypted 100% of the time to preclude it?

                • #122402
                  Anonymous
                  Guest

                  Because most traffic isn’t worth monitoring.

                  • #122406
                    Anonymous
                    Guest

                    Says who, you?
                    SHALL NOT BE INFRINGED

                    • #122410
                      Anonymous
                      Guest

                      It’s a government website, my man.

                  • #122408
                    Anonymous
                    Guest

                    That doesn’t mean they don’t do it anyway.

                    http://n-gate.com/software/2017/07/12/0/

                    This is a bit like saying "Well, I won’t apply security patches on my computer. I don’t need them, I’m unlikely to be attacked." Which is a.) stupid and b.) not even saving you much effort, since you can just run one command. The same is true of using HTTPS.
                    Also, that chucklefuck says:
                    >None of those things are my problem. If people don’t want to see my site with random trash inserted into it, they can choose not to access it through broken and/or compromised networks.
                    The internet is a broken and/or compromised network. Which is why anyone who puts a site on it should serve it through HTTPS. In any case, at some point he won’t have a choice, browsers will refuse to load it if they can’t negotiate encryption.

                    • #122412
                      Anonymous
                      Guest

                      >This is a bit like saying "Well, I won’t apply security patches on my computer. I don’t need them, I’m unlikely to be attacked."
                      I should have expected you were an updooter.

                    • #122415
                      Anonymous
                      Guest

                      >use https or you will be h4x0r3d
                      compelling argument

                      • #122418
                        Anonymous
                        Guest

                        Why wouldn’t you? It no longer costs anything and there’s no longer any significant speed penalty. It takes a few minutes to set up. Do you lock your doors when you go out? I do. It’s unlikely anyone will come and try the knob and steal shit from me if I don’t, but so what? It takes five seconds to protect against it.

                      • #122425
                        Anonymous
                        Guest

                        More like,
                        >Do you wear a full body disguise and erratically drive to throw off potential surveillance operations when going out in public?
                        >Why not? You’re basically scrotebrained if you don’t. And it’s free.

                      • #122428
                        Anonymous
                        Guest

                        fuck off glowscrote you can have a https certificate for free nowadays

                      • #122429
                        Anonymous
                        Guest

                        >if you don’t install this cert, you’re going to get mugged

                      • #122432
                        Anonymous
                        Guest

                        why didn’t you use that same logic when taking the vax scrotebrain

                      • #122434
                        Anonymous
                        Guest

                        that very analogy has been used before, and way before the wu flu.
                        https://scotthelme.co.uk/https-anti-vaxxers/

                      • #122440
                        Anonymous
                        Guest

                        https is good
                        vax is bad
                        simple as

                      • #122508
                        Anonymous
                        Guest

                        lunduke is right though:
                        certs expiring is obnoxious (and dangerous)

                        certs are easy for bad guys to spoof (i.e. corps, police and state gov) and its only slightly harder for malicious or benevolent "hackers" to do the same.

                        what lunduke doesnt mention, but he should, is that the centralization of power in a certificate "authority" is in itself a threat – for censorship, surveillance, and many other social ills.

                        perhaps instead of https we should have adopted a cryptonet like tor/i2p, but now it is already too late.

                      • #122511
                        Anonymous
                        Guest

                        >centralization of power in a certificate "authority" is in itself a threat
                        Then it’s a really good thing that the majority of certificates are issued by a fully transparent nonprofit organization.

                      • #122513
                        Anonymous
                        Guest

                        a "nonprofit", but power corrupts.
                        transparency has always been a lie and a meme.

                      • #122532
                        Anonymous
                        Guest

                        >sis trust me

                      • #122533
                        Anonymous
                        Guest

                        Why do we even have certs for the web in the first place? You don’t need them if all you want is encrypted traffic.

                        And the "identity verification" part is pretty much obsolete. You can get them for free. And even those payed ones are never checked thoroughly. You can’t trust the 3rd party to verify the identity correctly anymore. That’s why browsers stopped showing a green bar. Cause it’s a false sense of security.

                      • #122534
                        Anonymous
                        Guest

                        You’re confusing authentication and encryption. The only thing a TLS certificate proves (authenticates) is that the person it was issued to did have control of the respective domain **or** website at the time of issuance.
                        It does not prove that you’re connecting to the right server or that the website hasn’t been compromised.
                        The encryption part helps guarantee that nobody has tampered with the communication between you and the server.

                        You seem to criticize some imaginary TLS guarantees but there really aren’t any, that’s all there is to it and the certificates do deliver on their promises.

                      • #122537
                        Anonymous
                        Guest

                        > is that the person it was issued to did have control of the respective domain **or** website at the time of issuance
                        Yes, that’s what I meant with identity verification. And it’s also completely useless in the context of the web.

                        Honestly I don’t understand why browsers don’t allow self signed certs. If all you want is encryption that’s enough.

                      • #122539
                        Anonymous
                        Guest

                        Because anyone can self-sign certs for any domain and users have no idea whose self-signed cert is presented to them since every cert is as valid as all the others.

                      • #122541
                        Anonymous
                        Guest

                        Yes but why would I care about that? What sort of attack could a hacker do to take advantage of this? My traffic is still encrypted, right?

                      • #122542
                        Anonymous
                        Guest

                        The attacker may sit between you and the website, reading all the traffic and changing it as they want, simply because the certificate for "websi.te" might have been presented to you by the attacker, not by the website.
                        This is trivial stuff, not CIA conspiracy theories.

                      • #122430
                        Anonymous
                        Guest

                        >Do you wear a full body disguise and erratically drive to throw off potential surveillance operations when going out in public
                        you don’t?

                      • #122431
                        Anonymous
                        Guest

                        i dress as a women in public
                        j-just in case

                      • #122433
                        Anonymous
                        Guest

                        >glowie running up to an empty cabin radioing for backup
                        >the hon is out of the base i repeat the hon is out of the base

                      • #122535
                        Anonymous
                        Guest

                        >use https or you will be h4x0r3d by non 5eye actors
                        ftfy good sir

                    • #122421
                      Anonymous
                      Guest

                      >at some point he won’t have a choice, browsers will refuse to load it if they can’t negotiate encryption.
                      That will be great. You won’t be able to use self-signed certs either because those are A Bad Thing™ so it will be yet another way for people to get deplatformed.

                      • #122423
                        Anonymous
                        Guest

                        Self signed certificates are a bad thing though because the certificate signing system is secure woke af on government secured third parties

                        The only alternative is to have a content management and routing system that doesn’t rely on a trusted third party.
                        Even if you use IPFS to serve your entire website and memechains to change state, users still need to learn that your service exists through a trusted third party.

                      • #122427
                        Anonymous
                        Guest

                        if your argument is that the CA/PKI system is scrotebrained, that I agree with you on. It was designed by ITU bureaucrats in the 80s and X.509 is actually one of the less-obtuse parts of it, incredibly.

                        Self signed certificates are a bad thing though because the certificate signing system is secure woke af on government secured third parties

                        The only alternative is to have a content management and routing system that doesn’t rely on a trusted third party.
                        Even if you use IPFS to serve your entire website and memechains to change state, users still need to learn that your service exists through a trusted third party.

                        is wrong, the "authentication" provided by CAs is meaningless and never should have been there, and once you’ve dumped that there’s no reason to bother with certs and signing at all. Both sides should just do DH and set up encryption only.
                        >users still need to learn that your service exists through a trusted third party.
                        That’s called DNS, and we don’t need CAs for it.

                        But, y’know, it’s the system we have, and it’s easier to route around it with something like Lets Encrypt that admits the authentication is meaningless and just gives anyone an automated cert if they can prove they control the domain. As opposed to replacing it wholesale. (look how that went with IPv6)

                      • #122435
                        Anonymous
                        Guest

                        I really doubt Let’s Encrypt will continue handing out certs to everyone without bias forever. We’re already at a point where your browser give you excessive grief over both unencrypted connections and self-signed certs. Once nobody has a choice they’ll have all the power. I get very strong early Google vibes from them.

                      • #122438
                        Anonymous
                        Guest

                        so you can use someone else. Since I happen to still have the tab to that site open, here’s two other choices that use the same automation LE does.
                        https://scotthelme.co.uk/having-a-backup-ca-for-lets-encrypt/
                        https://scotthelme.co.uk/introducing-another-free-ca-as-an-alternative-to-lets-encrypt/

                      • #122444
                        Anonymous
                        Guest

                        >encryption only
                        Certificates are exclusively about the server validating it’s authenticity to the user; i.e. "letsencrypt performed a satanic ritual so it’s definitely you"
                        How would you verify that the server returned by 9.9.9.9 is actually dragon dildos.com?
                        "dude trust me"?

                      • #122447
                        Anonymous
                        Guest

                        because dragon dildos.com actually sends you big cocks

                      • #122450
                        Anonymous
                        Guest

                        >how do I be sure that the IP I’m connecting to is the website I think it is?
                        DNSSEC

                      • #122456
                        Anonymous
                        Guest

                        So I should assume that the user has DoH or some kind of meme DNS over IPFS set up?

                        Isn’t there a fundamental issue design issue here? The party who is most concerned with being attacked should also be the most concerned about defending themselves from attack, and maximize the length of a chain of vulnerabilities.

                        I don’t rely on cops to protect me from oogaboogas and neither should you.

                      • #122460
                        Anonymous
                        Guest

                        Which is why every website should only be served though Tor or some similar anonymizing network.
                        Anything less is just not responsible security practices.

                      • #122462
                        Anonymous
                        Guest

                        >>So I should assume that the user has DoH
                        well yeah, everyone should be using that (or DoT or DNSCrypt or…) just like everyone should be using HTTPS for web pages.

                      • #122466
                        Anonymous
                        Guest

                        Isn’t there a huge hole in your plan? There are tons of cloud services operating on subdomains.
                        DNS encryption is a shitty solution for all multi-tenant DNS, which is all clouds and anyone using Kubernetes

                      • #122468
                        Anonymous
                        Guest

                        Even further, certificates can be internally signed by organizations using their own bureaucratic processes and used to identify the routes of production servers vs a server spun up by a glow in the dark.

                    • #122475
                      Anonymous
                      Guest

                      Oh, we live in a freaking clown world.
                      While everything is encrypted, I’m supposed to visit sites with a hugely complex piece of software that’s full of possible exploits, downloading megabytes of turing complete code for "user experience" over a protocol so extensible, everyone and their mom had a go at it, so it too is wildly complex.
                      TLS itself has become somewhat mature though. I like how it’s starting to patch over the mess that is PKI. Oh, and "security appliances" can still decrypt your shit. Never ever look at your trusted CAs.

            • #122401
              Anonymous
              Guest
            • #122544
              Anonymous
              Guest

              No one of any importance needs to monitor traffic.
              They can just subpoena the site for logs.

    • #122385
      Anonymous
      Guest

      >serves a page about not supporting connections over https
      >while connected over https

    • #122387
      Anonymous
      Guest

      It probably doesn’t support HTTPS because a lot of old services and programs connect to their servers that haven’t been updated to support secured connections.

      • #122453
        Anonymous
        Guest

        >He doesn’t know you can configure web servers to serve both

      • #122505
        Anonymous
        Guest

        Nice well-informed opinion, I should invite you to my startup.

    • #122390
      Anonymous
      Guest

      this is how they hide weather machines

    • #122393
      Anonymous
      Guest

      Science is public.

    • #122397
      Anonymous
      Guest

      >83628538
      jesus christ that glow

    • #122405
      Anonymous
      Guest

      https is a meme

    • #122436
      Anonymous
      Guest

      Australia’s BOM being http only has been a meme for years. I can’t believe they don’t fix it even if it’s just to stop people asking about it.

      The crazy thing is they do support HTTPS. They have a server supplying that redirect page on HTTPS.

    • #122442
      Anonymous
      Guest

      yeah it would cost money to change it. the government has a responsibility to not tax the public unless it is for a significant cause.

      hiring someone to switch the BoM, and all serives that interface with it, to https is not
      at all significant. there is a high risk of something going wrong, some legacy system breaking, and very little upside.

    • #122467
      Anonymous
      Guest

      scrote I just implemented HTTPS on a .gov site that handles user credentials after trying and failing for 5 years, and I was only allowed to do so because one of the wordpesses got hacked so thoroughly that 5 russians made themselves admin accounts. If we weren’t .gov, we’d be out of business decades ago, but because we’re .gov, money is infinite so it’s impossible to fail/

    • #122476
      Anonymous
      Guest

      https is a freaking meme

      whens the last time someone was actually victimized by a MITM attack over http? like, in real life? and not a hypothetical?

      WDTMH

    • #122478
      Anonymous
      Guest

      It’s an information portal. You are not sending any data to it, and the data you are being sent is public can be gathered from a number of API and other sources.

      Why does it need to be secure?

    • #122482
      Anonymous
      Guest

      >Are there any reason … to not support https … ?
      To avoid fuckups like the current LetsEncrypt root certificate shit going around right now.

      • #122483
        Anonymous
        Guest

        That’s not a fuckup. A certificate expired, exactly as intended.

      • #122485
        Anonymous
        Guest

        >To avoid fuckups like the current LetsEncrypt root certificate shit going around right now.
        what a dumb cunt.

      • #122488
        Anonymous
        Guest

        they could at the very least offer self-signed
        also i’m pretty sure governments have their own roots

        • #122503
          Anonymous
          Guest

          >also i’m pretty sure governments have their own roots
          australia uses digicert for most of its services

    • #122507
      Anonymous
      Guest

      compatibility for old (really old) industrial/scientific appliance that cannot run modern encryption like tls

    • #122536
      Anonymous
      Guest

      […]

      >mass reply
      >shit opinion
      Eat shit scrote

      • #122545
        Anonymous
        Guest

        Not against the rules so suck my cock scrote, make me stop

Viewing 16 reply threads
  • You must be logged in to reply to this topic.
startno id