Emily Stark

1/ TIL that one of my most favorite websites, https://t.co/GEBztIfdR9, doesn't support HTTPS. That means it's time for a rant about why HTTPS is important even for a static website that serves no purpose but to let you copy-paste your favorite emoticon. 🧵

2/ First, consider all that Pegasus stuff that's been in the news this week (https://t.co/XhEUpOQKTa). One of the malware delivery vectors was an intercepted unencrypted http request to a yahoo site, which was redirected to deliver a browser exploit.

3/ The same could happen on a visit to https://t.co/GEBztIfdR9, and no one wants a 0-day exploit alongside their ascii art.

4/ There is a bit more nuance here; https websites can serve exploits as well as http ones, so in the absence of an unencrypted http request, an attacker could somehow entice the user to visit an https website under their control and deliver the exploit there.

5/ Still, we know for sure know from this week's reports, as well as previous reports, that delivering an exploit over http -- zero clicks, no social engineering required -- is attractive to attackers.

6/ Second, the more websites that support HTTPS, the more communicative browsers can be about the risks of unencrypted HTTP. A detailed full-page warning explaining the risks on every HTTP site today? Not feasible; it'd be a recipe for warning blindness and annoyance.

7/ But if 999/1000 sites supported HTTPS, then we'd be in business -- and that would require long-tail sites like https://t.co/GEBztIfdR9 to get on board.

8/ At some point, maybe browsers could even stop carrying around an atrocious hardcoded list of gazillions of HTTPS-only websites (https://t.co/eBXGGo3hsv) and start assuming that *all* websites are HTTPS-only.

9/ Third, I would like to always be guaranteed a shruggie free of injected ads and unwanted Javascript: https://t.co/kAPRydjkD6

10/ And finally, even static content can have its dangers if tampered with. Consider that copying and pasting the universal symbol of bemused resignation (https://t.co/9OJHuCPtfI) could actually be an act of faith, depending on...

11/ ...where you're pasting it into: https://t.co/RZiFpOsIBv. Many seemingly innocuous interactions with websites fall somewhere on a spectrum of risk that isn't easy to reason about, even for experts -- better to not let network attackers mess around with that.

12/ P.S. Please don't reply with suggestions for other ways to conveniently type the shruggie, that's not the point

Wed Jul 21 04:29:47 +0000 2021