What’s on HTTP?(whatsonhttp.com)
65 points by elixx 13 hours ago | 9 comments
superkuh 11 hours ago
HTTP is incomparibly less fragile than HTTPS which is why HTTP+HTTPS is such a great solution for websites made by human persons for human persons. Lets be clear, corporate or institutional persons using HTTPS alone is fine and reasonable. But for human use cases HTTP+HTTPS gets you the best of both worlds. No HTTPS cert system ever survives longer than a few years without human input/maintainence. There's just too much changing and too much complexity. From the software of the user to the software of the webserver.

Which is to say, HTTP is not some "ancient" tech like an analog television. It is a modern technology used today doing things that HTTPS can't.

tryauuum 11 hours ago
I'd rather have some expired cert than http

I saw once my ISP injecting javascript ads into http traffic and the horror is with me forever

miladyincontrol 10 hours ago
Agree strongly. An expired cert is better than no cert.

Also would argue maintenance is only as complicated as you make it for yourself. Countless people keep patched, secure, https web servers running with minimal effort. If its somehow effort, introspect some on why you are somehow making so much work for yourself.

pocksuppet 8 hours ago
That's no use when your automated registrar stops working in 3 years because it went out of business or changed protocols. Let's Encrypt has been an outlier.
superkuh 10 hours ago
Might be a bit of each of us touching different ends of the elephant. To be clear I am talking about long timespans. Lets Encrypt hasn't even existed for a full decade yet. During that time it's dropped support entirely for the original acme protocol. During that time it's root certs have expired at least twice (only those I remember where it caused issues in older software). And that's ignoring the churn in acme/acme2 clients and specific OS/Distro cert choice issues and browser CA issues. Saying that there's no trouble with HTTPS must be coming from experiences on short timescales (ie, a few years).

HTTP/3 already doesn't allow anything but CA TLS only. It won't be too long before they no longer allow you to click through CA TLS warnings.

If human people want things to be on the web for long time periods those things should be served HTTP+HTTPS.

Ferret7446 9 hours ago
If you can't keep your site's certs working, I don't have much faith you can keep your server working. Maintenance is required in the face of entropy
pastage 1 hour ago
There is some kind of middle ground here.. My first HTML file still renders like it did on Mosaic. The HTTP server I used back then still works today 35 years later without maintenance. I do agree that HTTPS is a simple solution but there is too much cargo cult around it. Honestly I do not see the use to maintain everything published if you follow sane practices.

EDIT: I have 15 year old things at work that do not compile, you have to maintain it for sure, biggest problem is cryptography. I am not sure that unstable tech should be part of the application ever.

hexfran 1 hour ago
Unless I'm misunderstanding your point, your HTTP server from 35 years ago is still working today without any maintenance? Does that mean no security patching and no updates for bugfixes? or does "no maintenance" means something else I'm missing? I find it difficult to discuss these topics when comments like these pretend that you can leave your system exposed on the internet for years without any maintenance.

If we're talking applications that don't actively listen on the internet that's fine, and I would agree that we should have complete software that just works. But a webserver, unless it's for personal/home use, it's on the internet and I don't see how it could work for 35 years without any update/change

Telaneo 9 hours ago
On the one hand, I agree with you given that state of the world.

On the other hand, that state of the world shouldn't exist. It's incredible to me that it's not illegal.

userbinator 7 hours ago
That's when you connect the VPN...
TZubiri 9 hours ago
I thought that was a one time thing in a 3rd world country blown out of proportion into myth status.

Would you mind sharing what ISP it was and what time period this was in?

fushihara 8 hours ago
I’m not sure whether this applies globally, but in Japan, around 2015, some mobile carriers deployed a “traffic optimization” feature that would lossily compress images in transit.

On the platforms of NTT Docomo and KDDI (au), users could opt out of this behavior. However, with SoftBank, it could not be disabled, which led to controversy.

As you might expect, this caused issues—since the image data was modified, the hash values changed. As a result, some game apps detected downloaded image files as corrupted and failed to load them properly.

Needless to say, this was effectively a man-in-the-middle attack, so it did not work over HTTPS.

Within a couple of years, the feature seems to have been quietly discontinued.

There were also concerns that this might violate the secrecy of communications, but at least the government authorities responsible for telecommunications did not take any concrete action against it.

There is a Japanese Wikipedia article about this: https://ja.wikipedia.org/wiki/%E9%80%9A%E4%BF%A1%E3%81%AE%E6...

TZubiri 7 hours ago
This event sounds much more realistic/common, the motivation of an ISP to save bandwidth costs is much more likely/frequent than the motivation of an ISP to monetize through ads (in addition to monthly service fees).
pixl97 8 hours ago
Where as my ISP did not put in ads, they did inject messages such as maintenance was going to occur and did things like redirect bad dns to their own search.

Also ISPs were monitoring and selling browsing data years ago.

rcakebread 8 hours ago
Comcast / Xfinity in the U.S., for example:

https://www.reddit.com/r/technology/comments/9b5ikd/comcastx...

offmycloud 4 hours ago
Cox Communications used to do it in California to inject JS into sites. I remember seeing little Cox popup/toast messages in the corner of other sites.
tryauuum 8 hours ago
it was some mobile ISP in Russia. Maybe 6 or 8 years ago
Ferret7446 9 hours ago
This is such a weird framing. HTTPS is HTTP. TLS is at a different layer of the network stack. You may as well say HTTP through a proxy is better or worse than HTTP through a VPN; all of those statements are equally nonsensical.

You are simply arguing that insecure network requests require less work. Which is obviously true. TLS did not appear out of nothing. Much effort was expended to create it, and there's a reason

ericpauley 7 hours ago
My thoughts exactly. By this logic both are fragile because they run over lossy wireless networks.

The composability of TLS/HTTP is really a beautiful thing.

cellularmitosis 8 hours ago
Any fans of retrocomputing will certainly agree. Much of the plain-HTTP internet that's left is there by them and for them.
forgotmypw17 7 hours ago
Agree 100%. HTTP is much more accessible, and HTTPS has more failure modes. When I want to ensure that someone can read my content, I offer both.
Gigachad 7 hours ago
If you don't care about security, you could just use a browser which ignores invalid certificates.
toast0 6 hours ago
Invalid certificates are one thing, and you can probably click through that. But maybe your older browser tops out at TLS 1.0, and servers don't offer that anymore (I think the credit card PCI cert discourages it) or maybe your older browser can't do ECC certs and the server you want to talk to only has an ECC cert.

Or maybe your older server only speaks TLS 1.0 and that's not cool anymore. Or it could only use sha1 certs, so it can't get a current cert.

When I can, I like to server http and https, and serve the favicon with HTTPS and use HSTS to induce current clients to use https for everything. Finally, a use for the favicon.

Dylan16807 5 hours ago
Someone with an older browser can update the browser outside of very niche situations. I have little concern for that use case.

If a server can't do TLS 1.2 from 2008 I question how it's still stable and unhacked more than anything.

13 hours ago
paulnpace 10 hours ago
Not very useful when most of the pages are default web server pages.
elliot07 7 hours ago
The author should check to see if the HTTP response body contains "nginx" or "apache" and just filter those out. Seems like at least 50% of what I'm seeing.

Also would be nice if there was a hotlink to view the original site directly from the index page.

swordmem 13 hours ago
[dead]
HectorMallar73 2 hours ago
[dead]
Shangdi63046 6 hours ago
[dead]
gethwhunter34 2 hours ago
tldr for anyone skimming: the key insight is in section 3
unit149 10 hours ago
[dead]
tryauuum 11 hours ago
[flagged]