12
bahua
5y

As if you needed another reason to stop using chrome:

https://tech.slashdot.org/story/20/...

Comments
  • 4
    I'm sure there's a blog somewhere with google defending it, but an SSL cert isn't going to change what the file you download actually contains.
  • 3
    Was reading yesterday that people are still using Opera. Was a little surprised.
  • 4
    @C0D4 So I guess you've never heard of Quantum Insert, MiTM and such?
  • 6
    @linuxxx i have, but what I'm getting at is, the SSL by it self doesn't prevent the source file being malicious on its own or being tampered with prior to you the user downloading it.

    This is just... wait a minute... did you just agree with Google.

    This is not the @linuxxx I know 👀
  • 7
    @C0D4 I partly do agree with Google as I don't really trust http-acquired content due to its interceptability.

    But then, I also still think it should be the users choice...

    But then, the amount of shit that could happen at ISP/spy agency/malicious actor level when https isn't used...
  • 2
    @linuxxx same boat.
    I think it's a good idea overall, but should still be user preference as to trusting the source if it's not over https.

    I guess this is one way to kill legacy systems running over http.
  • 3
    Why is this bad? The majority of users are completely blind to threats like this.

    When Bob Bliss goes to https://www.ignorance.com to download http://www.ignorance.com/setup.exe he does not know that setup.exe can be changed to a malware exe in transit.
  • 4
    HTTPS isn't hard anymore.

    Yes. You need to know what you are doing.

    But we're far away from the 'fun' of previous TLS setup (finding CA, CA costs, algorithm support / client support....)

    So imho it should die.
  • 3
    I agree with Google here. Mixed content warnings have been around for a while, but they don't work for download files. Of course https doesn't protect against files that are already contaminated at the origin, but it does protect against tampering in-between.

    Since Let's Encrypt, there is no reason not to use https anymore. The additional CPU load is like 1-2%, that's negligible.

    Google has been kicking lazy webmasters' asses in favour of https fr years. Without Google, we'd have even more of these idiots with "but but but my website doesn't need https". Yes it does, no matter what's on it, for everything, period.

    And no, the direction is not depriving users of stupid choices, but again kicking lazy webmasters' asses to get their shit together.

    https://doesmysiteneedhttps.com/
  • 0
    @SortOfTested I always think about that when I visit caniuse.com .
  • 5
    I agree, with one exception: local development. I wouldn't be able to test downloads from my local web server because it doesn't (and won't) have https.
  • 2
    There's a lot more going on on ports 80 and 443 than internet-connected websites.
  • 1
    @Root won't?
    That's an interesting dev environment you have.
  • 2
    @C0D4 It's always a pain to get working, so I just don't bother.
  • 2
    @Root 😂i complete understand that problem.
  • 2
    There's no excuse for a site not having TLS support these days; I think it's good default behaviour.
  • 1
    It’s a well justified security feature. It’s not to protect you from the website but from people MITMing the wire to insert malware as a file is downloaded.
  • 0
    I have never been a big fan of software that makes security decisions for me. I'm even less enthused about software that does that and doesn't let me unset the option.
Add Comment