All my bookmarked http:// links have stopped working, from http://www.google.co.uk to http://keapr.com and http://wttr.in/London.png?u
I discovered by chance that editing a 's' into them (e.g. 'https://')
solved the problem. Has the use of a non-encrypted connection to
download non-sensitive data been prohibited in the last week?

--
Harriet Bazley == Loyaulte me lie ==

Abstinence makes the heart grow fonder.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <2846f10659.harriet@bazleyfamily.co.uk>,
Harriet Bazley <harriet@bazleyfamily.co.uk> wrote:

All my bookmarked http:// links have stopped working, from http://www.google.co.uk to http://keapr.com and http://wttr.in/London.png?u
I discovered by chance that editing a 's' into them (e.g. 'https://')
solved the problem. Has the use of a non-encrypted connection to
download non-sensitive data been prohibited in the last week?

Don't use a RISCOS browser much these days but I think you're right. Went
to a little used URL of a firm I know still exists via my bookmarks and
got the same. Changing to https found it again.

--
*I wished the buck stopped here, as I could use a few*

Dave Plowman dave@davenoise.co.uk London SW
To e-mail, change noise into sound.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2 Mar 2021 as I do recall,
Harriet Bazley wrote:

All my bookmarked http:// links have stopped working, from http://www.google.co.uk to http://keapr.com and http://wttr.in/London.png?u
I discovered by chance that editing a 's' into them (e.g. 'https://')
solved the problem. Has the use of a non-encrypted connection to
download non-sensitive data been prohibited in the last week?

Apparently this applies to the URLs preset in applications like Fetch_NS
and the Netsurf homepage, as well....


--
Harriet Bazley == Loyaulte me lie ==

Violence is the last refuge of the incompetent.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In message <2846f10659.harriet@bazleyfamily.co.uk>
Harriet Bazley <harriet@bazleyfamily.co.uk> wrote:

All my bookmarked http:// links have stopped working, from http://www.google.co.uk to http://keapr.com and http://wttr.in/London.png?u
I discovered by chance that editing a 's' into them (e.g. 'https://')
solved the problem. Has the use of a non-encrypted connection to
download non-sensitive data been prohibited in the last week?

Just tried all your above links with http and they all worked fine in
!NetSurf 3.10

But you will find in general, many sites are now becoming https by
default, its the way the Internet is moving, and in Firefox their is now
an option to warn/block, sites as insecure if they use http only. other
main stream browsers are following this trend.

--
Chris Hughes

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <5906f70077dave@davenoise.co.uk>, Dave Plowman (News) <dave@davenoise.co.uk> wrote:

In article <2846f10659.harriet@bazleyfamily.co.uk>, Harriet Bazley
<harriet@bazleyfamily.co.uk> wrote:

All my bookmarked http:// links have stopped working, from http://www.google.co.uk to http://keapr.com and
http://wttr.in/London.png?u I discovered by chance that editing a 's'
into them (e.g. 'https://') solved the problem. Has the use of a non-encrypted connection to download non-sensitive data been
prohibited in the last week?

Don't use a RISCOS browser much these days but I think you're right.
Went to a little used URL of a firm I know still exists via my
bookmarks and got the same. Changing to https found it again.

But not every http site has an https equivalent. This is a horrendous bug.

It seems like blasphemy to say it but despite what some seem to think, including Google, some sites don't need a secure connection.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In message <5906f8d421tim@invalid.org.uk>
Tim Hill <tim@invalid.org.uk> wrote:

In article <5906f70077dave@davenoise.co.uk>, Dave Plowman (News) <dave@davenoise.co.uk> wrote:

In article <2846f10659.harriet@bazleyfamily.co.uk>, Harriet Bazley
<harriet@bazleyfamily.co.uk> wrote:

All my bookmarked http:// links have stopped working, from
http://www.google.co.uk to http://keapr.com and
http://wttr.in/London.png?u I discovered by chance that editing a 's'
into them (e.g. 'https://') solved the problem. Has the use of a
non-encrypted connection to download non-sensitive data been
prohibited in the last week?

Don't use a RISCOS browser much these days but I think you're right.
Went to a little used URL of a firm I know still exists via my
bookmarks and got the same. Changing to https found it again.

But not every http site has an https equivalent. This is a horrendous bug.

Its not a bug, the world is moving on from insecure websites to secure
ones to improve security etc.

It seems like blasphemy to say it but despite what some seem to think, including Google, some sites don't need a secure connection.

All the main browsers will start if not already warn you are accessing an insecure site and Firefox now has an optional option to block them.

Even !NetSurf does if you look at the padlock in the URL bar, but does not
yet block insecure sites.

--
Chris Hughes

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <d9cafb0659.chris@mytarbis.plus.com>, Chris Hughes <news13@noonehere.co.uk> wrote:

In message <2846f10659.harriet@bazleyfamily.co.uk> Harriet Bazley
<harriet@bazleyfamily.co.uk> wrote:

All my bookmarked http:// links have stopped working, from http://www.google.co.uk to http://keapr.com and
http://wttr.in/London.png?u I discovered by chance that editing a 's'
into them (e.g. 'https://') solved the problem. Has the use of a non-encrypted connection to download non-sensitive data been
prohibited in the last week?

Just tried all your above links with http and they all worked fine in !NetSurf 3.10

But you will find in general, many sites are now becoming https by
default, its the way the Internet is moving, and in Firefox their is
now an option to warn/block, sites as insecure if they use http only.
other main stream browsers are following this trend.

Contrary to what many - including Google - seem to think, some sites
don't need a secure connection.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In message <5906feda2btim@invalid.org.uk>
Tim Hill <tim@invalid.org.uk> wrote:

In article <d9cafb0659.chris@mytarbis.plus.com>, Chris Hughes <news13@noonehere.co.uk> wrote:

In message <2846f10659.harriet@bazleyfamily.co.uk> Harriet Bazley
<harriet@bazleyfamily.co.uk> wrote:

All my bookmarked http:// links have stopped working, from
http://www.google.co.uk to http://keapr.com and
http://wttr.in/London.png?u I discovered by chance that editing a 's'
into them (e.g. 'https://') solved the problem. Has the use of a
non-encrypted connection to download non-sensitive data been
prohibited in the last week?

Just tried all your above links with http and they all worked fine in
!NetSurf 3.10

But you will find in general, many sites are now becoming https by
default, its the way the Internet is moving, and in Firefox their is
now an option to warn/block, sites as insecure if they use http only.
other main stream browsers are following this trend.

Contrary to what many - including Google - seem to think, some sites
don't need a secure connection.

Well you soon will not be able access them! Its nothing to do with Google,
its to do with website security and reducing hacking, etc.

Plus most secure websites that involve financial transactions should now
be a minimum of TLS 1.2 and preferably TLS 1.3 - The main web browsers now block or at minimum warn you are if they are not using those secure
protocols for financial transactions.

--
Chris Hughes

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <ad1f020759.chris@mytarbis.plus.com>, Chris Hughes <news13@noonehere.co.uk> wrote:

Plus most secure websites that involve financial transactions should
now be a minimum of TLS 1.2 and preferably TLS 1.3 - The main web
browsers now block or at minimum warn you are if they are not using
those secure protocols for financial transactions.

It's a huge leap from a hobbyist photographer with a few photos he wants
to show off to a banking website. Of course your money needs to be secure
but websites you don't log into in any way don't need to be https.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2 Mar 2021 as I do recall,
Chris Hughes wrote:

In message <2846f10659.harriet@bazleyfamily.co.uk>
Harriet Bazley <harriet@bazleyfamily.co.uk> wrote:

All my bookmarked http:// links have stopped working, from http://www.google.co.uk to http://keapr.com and http://wttr.in/London.png?u I discovered by chance that editing a 's' into them (e.g. 'https://') solved the problem. Has the use of a non-encrypted connection to
download non-sensitive data been prohibited in the last week?

Just tried all your above links with http and they all worked fine in !NetSurf 3.10

What's even odder is that *I* just tried them from within my own
Usente post and this time they worked for me, as did some other links
from my bookmarks (although the majority redirected to an https site
without my intervention); only one link failed with the "Server
returned nothing (no headers, no data)" error I was getting universally
before.


--
Harriet Bazley == Loyaulte me lie ==

Please all, and you will please none.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The date being 2 Mar 2021, Harriet Bazley <harriet@bazleyfamily.co.uk>
decided to write:

On 2 Mar 2021 as I do recall,
Chris Hughes wrote:

In message <2846f10659.harriet@bazleyfamily.co.uk>
Harriet Bazley <harriet@bazleyfamily.co.uk> wrote:

All my bookmarked http:// links have stopped working, from
http://www.google.co.uk to http://keapr.com and http://wttr.in/London.png?u >>> I discovered by chance that editing a 's' into them (e.g. 'https://')
solved the problem. Has the use of a non-encrypted connection to
download non-sensitive data been prohibited in the last week?

Just tried all your above links with http and they all worked fine in
!NetSurf 3.10

What's even odder is that *I* just tried them from within my own
Usente post and this time they worked for me, as did some other links
from my bookmarks (although the majority redirected to an https site
without my intervention); only one link failed with the "Server
returned nothing (no headers, no data)" error I was getting universally before.

If you convert a site from http to https you should put a bit of code in
the .htaccess file (in public_html) to convert any requests for http to go
to https instead. This is what I've done in of my sites:

RewriteEngine On
RewriteCond %{HTTP_HOST} minimarcos\.org\.uk [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://minimarcos.org.uk/$1 [R,L]

I also changed any http links on the site to https. This works fine except
for my PlusNet web space. PlusNet support is totally unhelpful when it
comes to web space and there's nothing I can do about it, so if you
request https://www.minijem.plus.com/ you get:

A privacy error occurred while communicating with
www.minijem.plus.com this may be a site configuration error or
an attempt to steal private information (passwords, messages or
credit cards)

The certificate is for a different host than the server.

On the other hand http works fine.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <39ebfa0759.news@user.minijem.plus.com>, Richard Porter <ricp@minijem.plus.com> wrote:

I also changed any http links on the site to https. This works fine
except for my PlusNet web space. PlusNet support is totally unhelpful
when it comes to web space and there's nothing I can do about it, so
if you request https://www.minijem.plus.com/ you get:

A privacy error occurred while communicating with
www.minijem.plus.com this may be a site configuration error or an
attempt to steal private information (passwords, messages or
credit cards)

The certificate is for a different host than the server.

On the other hand http works fine.

That's because a secure version of http://www.minijem.plus.com/ doesn't
exist. Your cert only applies to https://minimarcos.org.uk/

--

Tim Hill
Webmaster, www.timil.com

websites : php : RISC OS

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <39ebfa0759.news@user.minijem.plus.com>,
Richard Porter <ricp@minijem.plus.com> wrote:

I also changed any http links on the site to https. This works fine
except for my PlusNet web space. PlusNet support is totally
unhelpful when it comes to web space and there's nothing I can do
about it, so if you request https://www.minijem.plus.com/ you get:

A privacy error occurred while communicating with
www.minijem.plus.com this may be a site configuration error or
an attempt to steal private information (passwords, messages
or credit cards)

The certificate is for a different host than the server.

Yes - I found that. However, I have just delved through their help
pages on their site and found the following.

Can I use my webspace with SSL security?

Yes you can. Just use https://homepages.plus.net/username/<page>

I have just tried that with my site and by golly it works. Thus you
do not appear to be able to use the direct url to your domain (in my
case chrisjohnson.plus.net) but must use the more lengthy version.

I am now away to change all refs to the old http url.

--
Chris Johnson

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <5908055f83chrisjohnson@spamcop.net>,
News <chrisjohnson@spamcop.net> wrote:

Can I use my webspace with SSL security?

Having delved a bit more I found more guidance. They actually say
that there is no need to use https for pages that do not need
encryption, but only for pages that are encrypted. I haven't really
seen that spelt out before.

--
Chris Johnson

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In message <590802b884tim@invalid.org.uk>
Tim Hill <tim@invalid.org.uk> wrote:

In article <39ebfa0759.news@user.minijem.plus.com>, Richard Porter <ricp@minijem.plus.com> wrote:

I also changed any http links on the site to https. This works fine
except for my PlusNet web space. PlusNet support is totally unhelpful
when it comes to web space and there's nothing I can do about it, so
if you request https://www.minijem.plus.com/ you get:

A privacy error occurred while communicating with
www.minijem.plus.com this may be a site configuration error or an
attempt to steal private information (passwords, messages or
credit cards)

The certificate is for a different host than the server.

On the other hand http works fine.

That's because a secure version of http://www.minijem.plus.com/ doesn't exist. Your cert only applies to https://minimarcos.org.uk/

Err no they are completely different sites you have listed, different organisations in fact it appears!

--
Chris Hughes

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <5908066d06chrisjohnson@spamcop.net>, News <chrisjohnson@spamcop.net> wrote:

In article <5908055f83chrisjohnson@spamcop.net>, News
<chrisjohnson@spamcop.net> wrote:

Can I use my webspace with SSL security?

Having delved a bit more I found more guidance. They actually say that
there is no need to use https for pages that do not need encryption,
but only for pages that are encrypted. I haven't really seen that spelt
out before.

Pages only need to be encrypted if they contain or seek sensitive
information which could be changed or stolen by a man-in-the-middle
attack. I never received a satisfactory explanation from a https fanboi
at Google why a public photo album or scrapbook would need to be on an encrypted website if there was no login.

"Because it should" seems to be the only justification. "It's our policy
to make the web more secure". No, it's a lazy "we'll just make the whole
web https then because it's the easiest, laziest solution and will suit
large companies and ISPs"!!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <645f060859.chris@mytarbis.plus.com>, Chris Hughes <news13@noonehere.co.uk> wrote:

In message <590802b884tim@invalid.org.uk> Tim Hill <tim@invalid.org.uk>
wrote:

[Snip]

That's because a secure version of http://www.minijem.plus.com/
doesn't exist. Your cert only applies to https://minimarcos.org.uk/

Err no they are completely different sites you have listed, different organisations in fact it appears!

That's the point.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The date being 4 Mar 2021, Tim Hill <tim@invalid.org.uk> decided to write:

In article <39ebfa0759.news@user.minijem.plus.com>, Richard Porter <ricp@minijem.plus.com> wrote:

I also changed any http links on the site to https. This works fine
except for my PlusNet web space. PlusNet support is totally unhelpful
when it comes to web space and there's nothing I can do about it, so
if you request https://www.minijem.plus.com/ you get:

A privacy error occurred while communicating with
www.minijem.plus.com this may be a site configuration error or an
attempt to steal private information (passwords, messages or
credit cards)

The certificate is for a different host than the server.

On the other hand http works fine.

That's because a secure version of http://www.minijem.plus.com/ doesn't exist. Your cert only applies to https://minimarcos.org.uk/

Yes. The problem is that I have no way to create a secure version. I can't
even get at cgi-bin (they removed access without telling everyone). I
can't see the root directory.

Richard

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The date being 4 Mar 2021, News <chrisjohnson@spamcop.net> decided to
write:

Having delved a bit more I found more guidance. They actually say
that there is no need to use https for pages that do not need
encryption, but only for pages that are encrypted. I haven't really
seen that spelt out before.

Well yes, but if you use relative links they inherit the base and
therefore the secure status. So in reality don't you need to have all
pages on the secure web site? Or else you can only have absolute links.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The date being 4 Mar 2021, News <chrisjohnson@spamcop.net> decided to
write:

Yes - I found that. However, I have just delved through their help
pages on their site and found the following.

Can I use my webspace with SSL security?

Yes you can. Just use https://homepages.plus.net/username/<page>

I have just tried that with my site and by golly it works. Thus you
do not appear to be able to use the direct url to your domain (in my
case chrisjohnson.plus.net) but must use the more lengthy version.

I am now away to change all refs to the old http url.

Thanks for that. I'll give it a try. Why couldn't PlusNet support tell me
that?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <5ae9200859.news@user.minijem.plus.com>,
Richard Porter <ricp@minijem.plus.com> wrote:

Thanks for that. I'll give it a try. Why couldn't PlusNet support
tell me that?

Support??? 8(

--
Chris Johnson

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The date being 4 Mar 2021, Chris Hughes <news13@noonehere.co.uk> decided
to write:

In message <590802b884tim@invalid.org.uk>
Tim Hill <tim@invalid.org.uk> wrote:

In article <39ebfa0759.news@user.minijem.plus.com>, Richard Porter
<ricp@minijem.plus.com> wrote:

I also changed any http links on the site to https. This works fine
except for my PlusNet web space. PlusNet support is totally unhelpful
when it comes to web space and there's nothing I can do about it, so
if you request https://www.minijem.plus.com/ you get:

A privacy error occurred while communicating with
www.minijem.plus.com this may be a site configuration error or an
attempt to steal private information (passwords, messages or
credit cards)

The certificate is for a different host than the server.

On the other hand http works fine.

That's because a secure version of http://www.minijem.plus.com/ doesn't
exist. Your cert only applies to https://minimarcos.org.uk/

Err no they are completely different sites you have listed, different organisations in fact it appears!

There are links both ways between them. I have to be careful to use http
from minimarcos.org to minijem.plus.com. The other direction is no
problem. Just to complicate things I have minijem.org.uk which is an alias
for the PlusNet domain.

Of course if I was setting up the sites today I would have steered clear
of using any ISP domain in public. In fact I should have learned that
after Argonet went titsup, but I wasn't familiar with registering domain
names at that time.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In message <80bd230859.news@user.minijem.plus.com>
Richard Porter <ricp@minijem.plus.com> wrote:

The date being 4 Mar 2021, Chris Hughes <news13@noonehere.co.uk> decided
to write:

In message <590802b884tim@invalid.org.uk>
Tim Hill <tim@invalid.org.uk> wrote:

In article <39ebfa0759.news@user.minijem.plus.com>, Richard Porter
<ricp@minijem.plus.com> wrote:

I also changed any http links on the site to https. This works fine
except for my PlusNet web space. PlusNet support is totally unhelpful
when it comes to web space and there's nothing I can do about it, so
if you request https://www.minijem.plus.com/ you get:

A privacy error occurred while communicating with
www.minijem.plus.com this may be a site configuration error or an >>>> attempt to steal private information (passwords, messages or
credit cards)

The certificate is for a different host than the server.

On the other hand http works fine.

That's because a secure version of http://www.minijem.plus.com/ doesn't
exist. Your cert only applies to https://minimarcos.org.uk/

Err no they are completely different sites you have listed, different
organisations in fact it appears!

There are links both ways between them. I have to be careful to use http
from minimarcos.org to minijem.plus.com. The other direction is no
problem. Just to complicate things I have minijem.org.uk which is an alias for the PlusNet domain.

Of course if I was setting up the sites today I would have steered clear
of using any ISP domain in public. In fact I should have learned that
after Argonet went titsup, but I wasn't familiar with registering domain names at that time.

You could migrate your websites away from PlusNet to a proper hosting
company.

Most of the Customer Service staff do not even know that some long term
users have webspace, or that there is access to usenet. If you have issues
best idea is go on the Community forums where a far few of the remaining
long serving staff are.

BT who own PlusNet made nearly all the staff sign new contracts last
September I understand to be on the same terms as the BT retail staff, so
a few longer serving staff left sadly.

--
Chris Hughes

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Tim Hill <tim@invalid.org.uk> wrote:

Pages only need to be encrypted if they contain or seek sensitive
information which could be changed or stolen by a man-in-the-middle
attack. I never received a satisfactory explanation from a https fanboi
at Google why a public photo album or scrapbook would need to be on an encrypted website if there was no login.

1. Surveillance
Ask Mr Snowden about that, but also tracking companies gathering data about you. If your packets transit an unfriendly country, expect what you look at
to be logged and sieved for interesting things. Your ISP may profile you
and sell on the data to advertisers.

2. Hijacking.
If I sit on the same network as you - for example the wifi network in a cafe
- I can hijack your HTTP sessions. That means as well as changing what you
see and where any links might go, I can run malicious Javascript on
your machine. I can make your machine download malicious files. I can
inject exploits for JS or browser vulnerabilities.

3. Cookie stealing
Given I can hijack your sessions, I may also present as some website you do care about and steal their cookies. Now I can login to the real website as you. (there are mitigations against this attack, but there's always
somebody who doesn't do it right)


Basically any time you use HTTP you have to trust every network between you
and the endpoint, and we don't any more live in a world where they are trustworthy. With HTTPS you still have to trust the endpoint, but you don't have to care about the network in between.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2 Mar, Tim Hill wrote in message
<59070b9e21tim@invalid.org.uk>:

It's a huge leap from a hobbyist photographer with a few photos he wants
to show off to a banking website. Of course your money needs to be secure
but websites you don't log into in any way don't need to be https.

But given that it's easy to do and doesn't cost the user anything in most
cases (assuming that they have even a half-decent webhost), why not just do
it?

--
Steve Fryatt - Leeds, England

http://www.stevefryatt.org.uk/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <mpro.qpjip501q5tmf027a.news@stevefryatt.org.uk>, Steve Fryatt <news@stevefryatt.org.uk> wrote:

On 2 Mar, Tim Hill wrote in message <59070b9e21tim@invalid.org.uk>:

It's a huge leap from a hobbyist photographer with a few photos he
wants to show off to a banking website. Of course your money needs to
be secure but websites you don't log into in any way don't need to be https.

But given that it's easy to do

The level of difficulty involved is not the point.

and doesn't cost the user anything in
most cases (assuming that they have even a half-decent webhost), why
not just do it?

Doesn't cost the user anything in most cases? Have you never used a
commercial ISP?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

[snip]

Thanks, Theo. That's a better explanation than anyone at Google ever put forward, though credentials should only be stored for secure websites, of course and very hard to fake that to steal them.

The important thing is risk. We all take one every time we step outside
the front door. Could my local Costa have a man-in-the-middle lurking on
its WiFi to get at my HTTP sessions? It could. With the emphasis on
'could'.

Is it likely though?

Of course, documented cases of it happening to members of the public
would be useful in order to illustrate the risks involved but you're more likely to find links for tools to carry it out than any evidence of it happening like that. That's not to say that commercial organisations
haven't been targeted with a form of MITM attacks but I gather the bad
guys prefer phishing to get their malicious software onto corporate
systems because it's easier to do than spoof their way onto a corporate
network to then lurk and inject.

--

Tim Hill
Webmaster, www.timil.com

websites : php : RISC OS

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 6 Mar, Tim Hill wrote in message
<5908f9f56atim@invalid.org.uk>:

Doesn't cost the user anything in most cases? Have you never used a commercial ISP?

Yes, thanks. I've not yet encountered a cheap shared hosting provider that doesn't throw in Let's Encrypt for "free" on a basic Linux hosting setup. Judging by the discussion on the ROOL forum the other week when this came up there, neither has anyone else[1].

That's "free", by the way, because it would probably be more accurate to say that they don't knock anything off the price for /not/ using HTTPS.


1. I was the odd one out without HTTPS on my site, and when I finally got around to looking into it, a quick message to my host's support folk had
Let's Encrypt enabled in five minutes. The other sites that I look after (WROCC, Wakefield Show, theatre) have all had HTTPS enabled for a while.

--
Steve Fryatt - Leeds, England

http://www.stevefryatt.org.uk/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <mpro.qpjxh904ds6em027a.news@stevefryatt.org.uk>, Steve Fryatt <news@stevefryatt.org.uk> wrote:

On 6 Mar, Tim Hill wrote in message <5908f9f56atim@invalid.org.uk>:

Doesn't cost the user anything in most cases? Have you never used a commercial ISP?

[Snip]

That's "free", by the way, because it would probably be more accurate
to say that they don't knock anything off the price for /not/ using
HTTPS.

It's the free-to-entice-you ones (or 'included with broadband') who seem
to want to charge extra. A little investigation soon revealed to me that
I could upgrade one package from free to EUR 3 a month to switch to https (which is about the same as hosting packages that charge EUR 3 a month
but throw in 'free' https!) but they also increase storage too so
tempting anyway as I'm at >80% and it will only get bigger.

Needless to say, the ISP with whom I have 'free unlimited webspace' turns
out to be 'free http webspace' but their certificates are fairly cheap
and I am using about 7.5 GB of their servers so can't complain really.

1. I was the odd one out without HTTPS on my site, and when I finally
got around to looking into it, a quick message to my host's support
folk had Let's Encrypt enabled in five minutes. The other sites that I
look after (WROCC, Wakefield Show, theatre) have all had HTTPS enabled
for a while.

Yes, it's easy and thanks to RISC OS-side utilities, really easy to
change any self-referencing http to https. I was just being selfish about
the actual cost to me of multiple domains, I suppose. I have already
changed one site to https and it was a simple matter of using the ISP's
web interface and handing over some dosh. It was easier than having to reorganise a few .eu domains and things like redirecting all http
requests to https was just a click.

I daresay I'll get around to all of them eventually thanks to inertia and search rankings but RISC OS browsers must continue to work with local development versions of web sites and not expect the local RISC OS web
server to be endowed with encryption. ;-)

--

Tim Hill
Webmaster, www.timil.com

websites : php : RISC OS

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Tim Hill <tim@invalid.org.uk> wrote:

[snip]

Thanks, Theo. That's a better explanation than anyone at Google ever put forward, though credentials should only be stored for secure websites, of course and very hard to fake that to steal them.

The important thing is risk. We all take one every time we step outside
the front door. Could my local Costa have a man-in-the-middle lurking on
its WiFi to get at my HTTP sessions? It could. With the emphasis on
'could'.

Is it likely though?

It's a straightforward attack vector, so why not? If there's targets of sufficient value, somebody will do it. Maybe not your local Costa, but
perhaps the one in Westminster? Just drop a phone running suitable software down the back of the sofa and walk away.

Given that everyone has a browser that does HTTPS already[1], why not enable
it for every site? It takes a small amount of server setup and that's it,
it's no longer a problem.

Theo

[1] OK, there's probably someone running Doggysoft Webite out there. Apart from you.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In message <5908feae1dtim@invalid.org.uk>
Tim Hill <tim@invalid.org.uk> wrote:

[snip]

Thanks, Theo. That's a better explanation than anyone at Google ever put forward, though credentials should only be stored for secure websites, of course and very hard to fake that to steal them.

The important thing is risk. We all take one every time we step outside the front door. Could my local Costa have a man-in-the-middle lurking on its
WiFi to get at my HTTP sessions? It could. With the emphasis on 'could'.

Is it likely though?

By the time you discover that it did, it's already too late for you.

David

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In message <5908f9f56atim@invalid.org.uk>
Tim Hill <tim@invalid.org.uk> wrote:

In article <mpro.qpjip501q5tmf027a.news@stevefryatt.org.uk>, Steve Fryatt <news@stevefryatt.org.uk> wrote:

On 2 Mar, Tim Hill wrote in message <59070b9e21tim@invalid.org.uk>:

It's a huge leap from a hobbyist photographer with a few photos he
wants to show off to a banking website. Of course your money needs to
be secure but websites you don't log into in any way don't need to be https.

But given that it's easy to do

The level of difficulty involved is not the point.

and doesn't cost the user anything in most cases (assuming that they have even a half-decent webhost), why not just do it?

Doesn't cost the user anything in most cases? Have you never used a commercial ISP?

I use a commercial ISP. I pay £11.99 pa for my web space. The upgrade
from http to https was free; I needed to contact their support people,
which was free, quick and very professional.

So the upgrade (I assume that's specifically what we mean) was indeed
free for me.

You don't need to get a certificate from the provider. Mine comes from
Let's Encrypt (no surprise there). What I didn't realise was that the
website provider would renew the cert automatically, at no extra cost
to me.

So the upgrade is still free overall after several renewals.

I can't see any reason /not/ to go to https.

I'm also working on upgrading a special http server of my own to https,
hence the discussions in the ROOL fora about AcornSSL server
functionality. After that, snooping on my home automation commands
will go from unlikely to impossible.

David

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The date being 4 Mar 2021, Chris Hughes <news13@noonehere.co.uk> decided
to write:

You could migrate your websites away from PlusNet to a proper hosting company.

Yes, I do have a reseller hosting arrangement and an alias domain name so
that would be quite easy. The problem is that I have a lot of inbound
links from around the world, so I'd need to redirect http requests, but
not email.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In message <lqb*e4key@news.chiark.greenend.org.uk>
Theo <theom+news@chiark.greenend.org.uk> wrote:

Tim Hill <tim@invalid.org.uk> wrote:

Pages only need to be encrypted if they contain or seek sensitive information which could be changed or stolen by a man-in-the-middle
attack. I never received a satisfactory explanation from a https
fanboi at Google why a public photo album or scrapbook would need
to be on an encrypted website if there was no login.

1. Surveillance
Ask Mr Snowden about that, but also tracking companies gathering data
about you. If your packets transit an unfriendly country, expect
what you look at to be logged and sieved for interesting things.
Your ISP may profile you and sell on the data to advertisers.

2. Hijacking.
If I sit on the same network as you - for example the wifi network in
a cafe - I can hijack your HTTP sessions. That means as well as
changing what you see and where any links might go, I can run
malicious Javascript on your machine. I can make your machine
download malicious files. I can inject exploits for JS or browser vulnerabilities.

3. Cookie stealing
Given I can hijack your sessions, I may also present as some website
you do care about and steal their cookies. Now I can login to the
real website as you. (there are mitigations against this attack, but
there's always somebody who doesn't do it right)

Basically any time you use HTTP you have to trust every network
between you and the endpoint, and we don't any more live in a world
where they are trustworthy. With HTTPS you still have to trust the
endpoint, but you don't have to care about the network in between.

I am the author and maintainer of a complex LAMP site on a corporate
intranet at my workplace.

Because
(a) the network not accessible by the internet (the only link between
this network and the internet is footnet), and

and (b) all users must have logged on to the corporate network via a corporately owned machine with a set of restrictive windows group
policies that would make the typical government IT security officer nod approvingly ...

then illegitimate accessing of the site would indicate that our security
people have got a lot more serious issues to worry about than whether
anyone is attempting to steal any http packets.

Yet even in that environment, Chrome tries to convert all protocols to
https. It's really frustrating for users, to the extent that I'm
currently looking at how to let the site self-certificate, which is
less than straightforward (and probably against our corporate security
policy anyway).

--
Nick Roberts tigger @ orpheusinternet.co.uk

Hanlon's Razor: Never attribute to malice that which
can be adequately explained by stupidity.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)