Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
C0D4669025yI'm sure there's a blog somewhere with google defending it, but an SSL cert isn't going to change what the file you download actually contains.
-
Was reading yesterday that people are still using Opera. Was a little surprised.
-
C0D4669025y@linuxxx i have, but what I'm getting at is, the SSL by it self doesn't prevent the source file being malicious on its own or being tampered with prior to you the user downloading it.
This is just... wait a minute... did you just agree with Google.
This is not the @linuxxx I know 👀 -
@C0D4 I partly do agree with Google as I don't really trust http-acquired content due to its interceptability.
But then, I also still think it should be the users choice...
But then, the amount of shit that could happen at ISP/spy agency/malicious actor level when https isn't used... -
C0D4669025y@linuxxx same boat.
I think it's a good idea overall, but should still be user preference as to trusting the source if it's not over https.
I guess this is one way to kill legacy systems running over http. -
Why is this bad? The majority of users are completely blind to threats like this.
When Bob Bliss goes to https://www.ignorance.com to download http://www.ignorance.com/setup.exe he does not know that setup.exe can be changed to a malware exe in transit. -
HTTPS isn't hard anymore.
Yes. You need to know what you are doing.
But we're far away from the 'fun' of previous TLS setup (finding CA, CA costs, algorithm support / client support....)
So imho it should die. -
I agree with Google here. Mixed content warnings have been around for a while, but they don't work for download files. Of course https doesn't protect against files that are already contaminated at the origin, but it does protect against tampering in-between.
Since Let's Encrypt, there is no reason not to use https anymore. The additional CPU load is like 1-2%, that's negligible.
Google has been kicking lazy webmasters' asses in favour of https fr years. Without Google, we'd have even more of these idiots with "but but but my website doesn't need https". Yes it does, no matter what's on it, for everything, period.
And no, the direction is not depriving users of stupid choices, but again kicking lazy webmasters' asses to get their shit together.
https://doesmysiteneedhttps.com/ -
Root797735yI agree, with one exception: local development. I wouldn't be able to test downloads from my local web server because it doesn't (and won't) have https.
-
There's no excuse for a site not having TLS support these days; I think it's good default behaviour.
-
catgirl11305yIt’s a well justified security feature. It’s not to protect you from the website but from people MITMing the wire to insert malware as a file is downloaded.
-
bahua128015yI have never been a big fan of software that makes security decisions for me. I'm even less enthused about software that does that and doesn't let me unset the option.
Related Rants
As if you needed another reason to stop using chrome:
https://tech.slashdot.org/story/20/...
rant
google
chrome