Enforced https on public sites

[Mæstro]

I wish I could voluntarily downgrade public sites to HTTP. There have been many times where a site, which I knew would not require transmitting anything sensitive, would display an expired certificate. I do not wish to add permanent exceptions to these sites in Pale Moon and do not know how to make temporary ones, so I turn away. On the other hand, the only website within the last decade I know to transmit any kind of sensitive information at all over HTTP is the all-important Neopets.

[BenFenner]

Whether a cert has a lifetime of a month, 3 months or a year makes no difference!
...
A CA response in that case should be much faster. We're talking about days, not months, here.

Seems you've been out of the loop a bit. I believe the idea of 6-day certs were all the rage a few months back.

(I'm not saying that's a good idea, mind you.)

[gepus]

I do not wish to add permanent exceptions to these sites in Pale Moon and do not know how to make temporary ones, ...

In private browsing mode exceptions won't be stored.

[Mæstro]

In private browsing mode exceptions won't be stored.

Clever, but I like to keep my browsing history. Is there a site with a failed certificate I can use to test whether such a site, when accessed, will show in my listing?

[Veit Kannegieser]

That's no excuse. There's a very, very good reason we have systems in place for cert revocation. OCSP, stapled OCSP and CRLs exist and are checked by browsers for a reason. Whether a cert has a lifetime of a month, 3 months or a year makes no difference!

Partly agree here, however the certificates can also be used for other services - postfix for me.
And OSCP is optional now, and Let's Encrypt will drop it.

[Moonchild]

And OSCP is optional now, and Let's Encrypt will drop it.

OCSP has always been optional. It's a revocation check, and failure to connect to OCSP servers is generally not fatal unless in tightly-controlled environments (which is why we have an option to enable that strictness but default not enabled).
Let's Encrypt never revokes certs so it wouldn't do anything for them anyway, so there's nothing for them to lose by dropping it...

the certificates can also be used for other services - postfix for me.

Of course, and those other applications should, if they want to maintain trust, have mechanisms to deal with revoked certificates too; whether that is infrequent CRL downloads or other ways. For the web, though, it's always been a more pressing thing, because of the much larger threat there.

The fact that trust as part of TLS has been eroded this way doesn't take away that it's essential; encryption (for the sake of encryption) doesn't matter when the biggest risk isn't that some man-in-the-middle snoops on what you communicate with a legitimate server, but rather that malicious actors can impersonate servers and have cryptographic trust. In the situation we used to have, it was clear when something wasn't secure, because of the public net being unencrypted; the protocol was a good indicator and getting a certificate was involved. The current state of affairs is that the protocol means nothing, "mainstream" browsers don't even display EV certificates as such anymore to distinguish from the lowest-threshold ones, and it's all worse than it was before while everything is supposedly "more secure" with encryption everywhere now? Sorry, but no. In the practical Internet, we're worse off than we were.

[Lycanthrope_végétarien]

It seems that stupidity is contagious

since yt-dlp-2025.06.09:
"https protocol not found, recompile FFmpeg with openssl, gnutls or securetransport enabled."

I don't blame yt-dlp, this is certainly necessary for access to YouTube Videos.

[Moonchild]

Topic unlocked by request for further discussion.

[back2themoon]

That weather website looks like is now HTTPS. Farmers with old hardware no longer an issue?

[BenFenner]

I asked to have this thread unlocked so I could post a newly released video that could not be more on topic. It is by the beloved CS/Math/Research YouTuber tom7 (you should really go watch his back catalog if you have not seen it).

suckerpinch | No one can force me to have a secure website!!!
https://www.youtube.com/watch?v=M1si1y5lvkk

[Shadow]

That weather website looks like is now HTTPS.

To save the rugged, grizzled, disheveled Aussie farmers who'll never read this.

http://reg.bom.gov.au/

or, for the heck of it, a very basic alt.

http://wttr.in/

[Moonchild]

I asked to have this thread unlocked so I could post a newly released video that could not be more on topic. It is by the beloved CS/Math/Research YouTuber tom7 (you should really go watch his back catalog if you have not seen it).

suckerpinch | No one can force me to have a secure website!!!
https://www.youtube.com/watch?v=M1si1y5lvkk

Interesting, and showing yet another way how LE is insecure and has killed trust in TLS

[mittorn]

Some mobile ISP used to intercept http traffic and insert ads, so https might be useful even without sensitive data (at least as option), to make sure page is not modified.
Other reason is some placeholder pages that ISP may enforce when internet or resouerce is blocked, it typically inserts redirect http response instead of real response. It's better to see https connection error, not redirect, that may hide original request url

I do not like HSTS and TLS version enforcing, but without that security downgrade attack is possible.
It would be safe to not enforce TLS version on server if it was included in URL schema, so it would not be possible to silently downgrade protocol version. I want my servers to support SSL3, so old browsers may access https-only auth form, but enabling it would allow someone to steal auth data with TLS downgrade even on modern browser, and moreover, some exitsing browsers will warn that server is not safe

[Lucio Chiappetti]

suckerpinch | No one can force me to have a secure website!!!

Yes they can ...
I have been managing my institute's website since 1993 (!) to 2004 and again since 2008 to 2019. I have been managing a website on my own machine at work for both internal usage and scientific data exchange. All plain http, and all static HTML written by hand. Never had any need of https (i.e. an SSSL-capable apache) except for a short time I set up a webmailer to access a private IMAP server on my machine (now disused) for which I used a self-signed certificate (one of the collateral effect of using https is that you have to get certificates).
However now the national academic network authority seems to have delegated security checks to a higher national authority, which is scanning the various servers and insists in https.

[Moonchild]

However now the national academic network authority seems to have delegated security checks to a higher national authority, which is scanning the various servers and insists in https.

What's stopping you from supplying both, and leave it up to the visitor to make their choice?

[Lucio Chiappetti]

Nothing forbids it (technically) but is sort of a nuisance ...
1) I have to get "true" certificates (luckily oyr sysman can issue them ... and did)
2) I'd have to learn how to configure my apache for SSL, which is something I'd gladly do without (like learning to fish or drive a car). I'd preferred to remove at all SSL support (for the unused webmailer which I can drop)
3) at the moment I'm using for a specific task a little old utility on 8080 which can use only http. So the few HTML pages transferring control to them fail if they are called as https. This means I can't one a two-liner Rewrite rule http->https but I'd have to write an adhoc one excluding those few pages. Again I'd have better ways to spend my time ...

[ownedbywuigi]

It’s a bit funny how MC is talking about public sites being forced to use HTTPS… meanwhile the Pale Moon site (as far as I can tell, for the main domain at least…) is a public site yet is forcing HTTPS.

[Moonchild]

It’s a bit funny how MC is talking about public sites being forced to use HTTPS… meanwhile the Pale Moon site (as far as I can tell, for the main domain at least…) is a public site yet is forcing HTTPS.

It isn't.

However, if you tell the web server to "upgrade insecure requests" with the HTTP request header, then it will do what you ask and switch to HTTPS.

If you don't send the header though, and go to http:// then it will just serve the page unencrypted.

[UCyborg]

I wish I could voluntarily downgrade public sites to HTTP. There have been many times where a site, which I knew would not require transmitting anything sensitive, would display an expired certificate. I do not wish to add permanent exceptions to these sites in Pale Moon and do not know how to make temporary ones, so I turn away.

It's already there, don't have Permanently store this exception checkbox ticked.

Last I checked, Chromium had the option to ignore the certificate errors (cmd-line parameter), don't know if there's equivalent in Pale Moon.

I faintly remember experimenting with Proxomitron in the past, I think you could have the browser get the content in HTTP while proxy would do the talking in HTTPS. No idea if it has global ignore certificate errors.

I recently wrote a cheat sheet for me how to generate certificates with OpenSSL. I might start selling certificates when I get tired of current job.

[Basilisk-Dev]

Semi-related. Who determines that a CA is trustworthy, but me self signing a cert for my own domain is not trustworthy? It seems kind of pointless if Let’s Encrypt will just issue a free certificate to anybody?