Comment on Local pop radio station is using its metadata to spread anti Biden propaganda
ccdfa@lemm.ee 11 months agoOne random thing that really annoys me is that the site shakespeare.mit.edu does not properly forward http requests to https although they have an https version of the site.
diemartin@sh.itjust.works 11 months ago
Sneptaur@pawb.social 11 months ago
Why does reading Shakespeare need to be over SSL?
Takios@feddit.de 11 months ago
SSL (or TLS nowadays) not only protects against surveillance but also guarantees the integrity of the data you send and receive. Without it, someone could spoof the response you receive. In practice this means injecting ads or malware or even worse: fake shakespeare!
FlyingSquid@lemmy.world 11 months ago
According to some, all Shakespeare is fake Shakespeare.
intensely_human@lemm.ee 11 months ago
Pay no attention to the man in the middle
Sneptaur@pawb.social 11 months ago
Thanks for the explanation!
SocialMediaRefugee@lemmy.world 11 months ago
It is brutal how few people know how to implement it and how apps all seem to have their own ways of doing it. I have to keep notes for the quirks of every damn app/OS I work with that uses SSL/TLS.
the_third@feddit.de 11 months ago
At least because search engines rank TLS enabled sites higher these days. And also, wrapping everything in TLS creates more noise against surveillance and makes surveillance more expensive.
Sneptaur@pawb.social 11 months ago
So if this site has both HTTPS and HTTP versions, and it’s just Shakespeare, does it matter that much? I figure not which is why it’s not auto redirecting
intensely_human@lemm.ee 11 months ago
Why man they doth share packets in the clear
mojo@lemm.ee 11 months ago
If you are using Firefox, enable https everywhere setting and it fixes stuff like that
SocialMediaRefugee@lemmy.world 11 months ago
Don’t you just need to toss an “.htaccess” file in the root?
timewarp@lemmy.world 11 months ago
No, an .htaccess file is specific to Apache HTTP Server… although some other web servers have integrated the format. However, most browsers now automatically redirect when an HTTPS version exists.
baatliwala@lemmy.world 11 months ago
Funniest thing I’ve ever seen is the docs for Nginx do the same, no http to https redirection. I mean, you would hope that the maintainers for the biggest web server in the world would be able to manage that but somehow… No they don’t.
gatelike@feddit.de 11 months ago
server serves a protocol on a port. I would rather it not include logic like that. turn off the http port of you don’t want to serve http.
azertyfun@sh.itjust.works 11 months ago
HSTS + HTTPS redirect is the answer. It’s industry standard for a reason: it’s just as safe as pure HTTPS since you can’t get anything other than a redirect over HTTP, and HSTS protects your users from future attempted MITM attacks. The MDN page for HSTS explains it all very clearly.
Any other implementation is an immediate audit fail in my experience.
There’s no tangible security benefit to fully disabling port 80, and if anything depending on the service it may just drive users away to shadier alternatives.
baatliwala@lemmy.world 11 months ago
that would mean anyone going to http:// will perceive as the server being down so what you are saying will not work in practice
abbadon420@lemm.ee 11 months ago
Apache tomcat had a stupid security issue. I recently did a HackTheBox about it. Here’s a write-up of the box medium.com/…/hack-the-box-jerry-write-up-6f045601…