329 sats \ 4 replies \ @ek 18 Oct 2023 \ on: Superlinear Returns tech
Paul Graham's blog is great but I really wonder why it doesn't use HTTPS.
Googled a bit and found this. But no answers from him personally.
Of course, he doesn't owe anyone anything, but I think it's weird to not have HTTPS nowadays. But I have a cryptography background, so I might be biased.
write
preview
308 sats \ 1 reply \ @WeAreAllSatoshi 18 Oct 2023
SSL (well, TLS now) serves three purposes.
  1. Ensuring you are getting the information the website author intends for you to get. i.e. data can’t be manipulated in transit.
  2. Ensuring the information you are getting is in fact coming from the domain you are requesting it from.
  3. Preventing others between you and the website from seeing the information sent back and forth.
I think you questioned the need for TLS here assuming 3 was the only purpose of TLS?
I found this comment on the linked HN thread insightful and probably very useful for a lot of folks. Sensitive data isn’t the only argument for TLS
reply
21 sats \ 0 replies \ @ek 18 Oct 2023
Yes. It's about CIA: confidentiality, integrity and authenticity.
People most of the times only think about C
reply
364 sats \ 1 reply \ @k00b 18 Oct 2023
I've seen him call this an IQ test, ie he sees it as unnecessary for his site.
reply
0 sats \ 0 replies \ @ek 18 Oct 2023
I totally get why one might think that HTTPS is not necessary for a site like this but damn, I really believe we should always err on the side of caution with stuff like this. Getting a certificate and setting up auto-renewal with free TLS providers like Let's Encrypt really isn't that hard anymore.
I guess I've heard too many stories about people not taking cryptography seriously or just handwaving arguments so I am always baffled when people say: ohhh, I don't need it, what could go wrong?
That might be true but are you 100% sure?
We should be humble when it's comes to cryptography.
But as mentioned, I get it that most people don't think like this. It's too abstract.
Regarding the IQ test: is it about people being considered dumb if they follow advice like "use HTTPS" blindly?
Well, I would rather fail such a test and say I'm dumb and actually be dumb than say I'm smart but with the risk of actually being dumb, lol
reply