I was under the impression that you can MITM HTTPS, it just requires the client to trust the proxy (by installing its CA). It's mostly used in corporate environments for monitoring & blocking, but it should work for caching proxies too.
Ironically for what seems to be an article about webpage performance, this site runs horribly on my phone (Android, Firefox) - something is broken with the scroll, it's choppy and unusable. Anyone else?
This is a common pattern in the development of the web now. The people pushing development are focused on profitable users. People in rural areas of third world countries are not a priority. Disabled users will get the legal minimum accommodation. People with older hardware are usually not commercially important - cheaper tog et rid of them.
Making websites less accessible didn't have the miraculous improvement in security that people were wishing for.
With things other than just HTTPS adding up to discourage huge percentages of users the way it never used to be.
Now if someone can capture a fraction of a percent of the increasingly excluded users, it would be a bonanza.
You know, the millions of users that virtually nobody is addressing any more, as the competition to further exclude more visitors ratchets up to encompass more and more formerly mainstream traffic. By the millions at a time. It adds up after a while.
Think of the opportunities there used to be.
For people that want to have outreach from their website, the delivery to the web as a whole has never been less complete by default.
And nobody who can do anything about it can measure what they can't see, and they can't see it because they have their hands full with trying to squeeze the most out of the diminishing pickings that do make it onto their radar. Any which are not fully harvested already, that is.
This is part of why HTTP+HTTPS still has a place for non-commercial non-institutional just for fun/education websites. HTTP+HTTPS is also significantly less fragile than HTTPS-only over any years+ long timescales. Eventually even the tool keeping your CA TLS cert up to date itself will stop working or the root cert will expire, etc. HTTP+HTTPS means the site keeps being accessible. If the threat model allows it, it's better.
On a long enough time window even your version of TLS itself will expire. This came up the other day in a discussion of how much of the web is still accessible to a browser like Netscape Navigator 4. It can't speak TLS 1.3 at all on its own, no matter if you give it an up-to-date CA bundle or not. There's a lot of the web that has already moved to TLS 1.3 with intentionally no fallback to older versions, or only fallback to TLS 1.2. No security conscious user of TLS 1.3 will say "fallback to SSL 2.0 is just fine", they set the defaults, and those defaults impact even things that don't need the tightest security such as blogs and fun/education websites.
I was under the impression that you can MITM HTTPS, it just requires the client to trust the proxy (by installing its CA). It's mostly used in corporate environments for monitoring & blocking, but it should work for caching proxies too.
https://rasika90.medium.com/how-i-saved-tons-of-gbs-with-htt...
Yes it seems they call it SSL bumping
Try to make this MITM caching work consistently for all the computers (phones iot etc) of your home.
Then think about doing the same for a school.
Even when done "correctly", this breaks so, so much stuff on a typical developer on Windows set up. Ask me how I know.
I have corporate VPN that forces this. Basically a bunch of programs break because they come with their own trusted CA list
Ironically for what seems to be an article about webpage performance, this site runs horribly on my phone (Android, Firefox) - something is broken with the scroll, it's choppy and unusable. Anyone else?
It's a bit choppy for me too. Reminds me of those sites that has a static, non-scrolling, background image.
Samsung S21, Firefox with uBlock Origin.
Android Firefox, no problems here. I do have ubo installed if that makes a difference.
This is a common pattern in the development of the web now. The people pushing development are focused on profitable users. People in rural areas of third world countries are not a priority. Disabled users will get the legal minimum accommodation. People with older hardware are usually not commercially important - cheaper tog et rid of them.
I think it could be restated:
Making websites less accessible didn't have the miraculous improvement in security that people were wishing for.
With things other than just HTTPS adding up to discourage huge percentages of users the way it never used to be.
Now if someone can capture a fraction of a percent of the increasingly excluded users, it would be a bonanza.
You know, the millions of users that virtually nobody is addressing any more, as the competition to further exclude more visitors ratchets up to encompass more and more formerly mainstream traffic. By the millions at a time. It adds up after a while.
Think of the opportunities there used to be.
For people that want to have outreach from their website, the delivery to the web as a whole has never been less complete by default.
And nobody who can do anything about it can measure what they can't see, and they can't see it because they have their hands full with trying to squeeze the most out of the diminishing pickings that do make it onto their radar. Any which are not fully harvested already, that is.
Needs (2018) in the title.
This is part of why HTTP+HTTPS still has a place for non-commercial non-institutional just for fun/education websites. HTTP+HTTPS is also significantly less fragile than HTTPS-only over any years+ long timescales. Eventually even the tool keeping your CA TLS cert up to date itself will stop working or the root cert will expire, etc. HTTP+HTTPS means the site keeps being accessible. If the threat model allows it, it's better.
On a long enough time window even your version of TLS itself will expire. This came up the other day in a discussion of how much of the web is still accessible to a browser like Netscape Navigator 4. It can't speak TLS 1.3 at all on its own, no matter if you give it an up-to-date CA bundle or not. There's a lot of the web that has already moved to TLS 1.3 with intentionally no fallback to older versions, or only fallback to TLS 1.2. No security conscious user of TLS 1.3 will say "fallback to SSL 2.0 is just fine", they set the defaults, and those defaults impact even things that don't need the tightest security such as blogs and fun/education websites.