I host a single site on a host (so, no login, subject name or path information to leak), which only contains details how to connect to my irc server at the same address.
If the message is altered then the most pain anyone will have is connecting somewhere else for the first time. (They won’t be automatically logging in if they’re using this page).
Why does everything need to be TLS? It feels like a cargo cult. A requirement: “because!”
In other scenarios it’s worth modelling threats and I agree that it’s good to err on the side of caution but aside from the modification of my connection information there’s no good tangible reason to incur an overhead in administration.
Although it should be noted; part of the reason that web server even exists is to do letsencrypt for a globally geobalanced irc network.
> Why does everything need to be TLS? It feels like a cargo cult. A requirement: “because!”
Traditionally, people have only encrypted things that are deemed sensitive (logins, money, health). However, when the majority of traffic is non-encrypted, actually ciphered data is very noticeable to anyone monitoring the network, and it screams "look at me! I am important!".
However, when >90% of traffic of the Internet is encrypted, then there is no 'extra' information to be gained from that fact. If further forces any surveillance program to expend extra resources to either trying decrypting everything, or choose to only focus on those people that it actually deems important, instead of wholesale surveillance of the entire population.
Further, encrypting content prevents it from being modified, reducing your potential to be leverage against:
> The Great Cannon of China is an Internet attack tool that is used to launch distributed denial-of-service attacks on websites by performing a man-in-the-middle attack on large amounts of web traffic and injecting code which causes the end-user's web browsers to flood traffic to targeted websites.[1]
"herd immunity" is a good argument; but herd immunity exists for outliers. The people who for some reason cannot get a vaccine, yet they are not exposed to the hypothetical disease because everyone they are surrounded by is immune.
That's kinda my argument, not that https is bad. I agree with widespread adoption and taking it as a default even for a static page.
But in my environment I have many dozens of nodes and idk where letsencrypt is going to come in because of geobalanced DNS. I also serve many domains with this project so I don't have the nice DNS-01 ACME verification features because not all DNS providers have an API.
So I have a web server on each node, which reverse proxies .well-known/ to some central server that runs certbot. Then I distribute those certs outwards to those nodes.
It goes against certain sysadmin principles about transportation of private key materials, but it's what works.
But; given that architecture which caters for a latency sensitive product; letsencrypt is a serious overhead. To the point where I'm considering going back to 2y paid certs.
My work's DNS provider does not have a handy API, so if we want a cert for the internal-only foo.example.com, we point _acme-challenge.foo to _acme-challenge.foo.dnstest.example.com. And the NS server for the dnstest.example.com lives in our DMZ and is only there to answer ACME queries from Let's Encrypt. We set up some scripting to allow updates to the NS server via nsupdate.
And there are ACME clients written specifically around the idea of having the client run on a different system than the web server:
If the message is altered then the most pain
anyone will have is connecting somewhere else
for the first time
If the page is altered so it loads 3rd party tracking code, then the pain is to be tracked.
If the page is altered so it opens a "Please enter your ebay login" phishing site in the background, a user might switch tabs, think "Oh, I logged out of ebay somehow" and enter their password into the attackers site. Exposing them to the pain of ecommerce fraud.
If the page is altered to use a 0-day exploit, the pain is to have a zombie machine afterwards.
If you hijack the DNS request and respond with the IP of a different server, that server will not have a valid certificate for the domain in question. Why are any extra features required?
I host a single site on a host (so, no login, subject name or path information to leak), which only contains details how to connect to my irc server at the same address.
If the message is altered then the most pain anyone will have is connecting somewhere else for the first time. (They won’t be automatically logging in if they’re using this page).
Why does everything need to be TLS? It feels like a cargo cult. A requirement: “because!”
In other scenarios it’s worth modelling threats and I agree that it’s good to err on the side of caution but aside from the modification of my connection information there’s no good tangible reason to incur an overhead in administration.
Although it should be noted; part of the reason that web server even exists is to do letsencrypt for a globally geobalanced irc network.