Ask HN: Why Isn't Paulgraham.com on HTTPS?
Seems unusual for someone as high profile in tech as him to not serve his site with an SSL cert. Is this just laziness? Since it's just a basic content site, I suppose it doesn't matter?
13 comments
You're not submitting data to him, so no benefit to protect you there.
There is a risk downloading the text. Does it warrant a signature? I don't think so.
When you hand out candy on Halloween you could include a digital signature with each piece you hand out. People receiving the candy would have more confidence it came from you, and not a bad guy wearing a mask, sitting on your front porch impersonating you.
Does everything need signatures? The stakes of accepting candy are much higher simple raw text.
There is a risk downloading the text. Does it warrant a signature? I don't think so.
When you hand out candy on Halloween you could include a digital signature with each piece you hand out. People receiving the candy would have more confidence it came from you, and not a bad guy wearing a mask, sitting on your front porch impersonating you.
Does everything need signatures? The stakes of accepting candy are much higher simple raw text.
This is a misunderstanding of the reasons to use https. ISPs can inject ads or other stuff if it's not https.
Are they, though? I think thats the point.
Edit: to be fair, I mean in this specific case. And I know they _could_ be. But are they?
Edit: to be fair, I mean in this specific case. And I know they _could_ be. But are they?
> You're not submitting data to him, so no benefit to protect you there.
This is a common misconception. If a page is using http, an attacker could add a sign-up form, a login form, a payment form, a malware download etc. or anything they want to the page to steal entered data or just redirect you to another malicious site, anything they want.
This is a common misconception. If a page is using http, an attacker could add a sign-up form, a login form, a payment form, a malware download etc. or anything they want to the page to steal entered data or just redirect you to another malicious site, anything they want.
You’re supposed to be worried about your ISP or the government knowing that you’re reading essays online.
My company spent precious developer hours this week 'fixing' old intranet websites that recently started giving Chrome 'insecure' warnings on internal links. HTTP is definitely not a risk in this scenario. And PG's website is not a risk either.
Google's war on http is misguided, dumb, and wasteful.
Google's war on http is misguided, dumb, and wasteful.
It is a feature. As a frequent user, I would rather have it on plain HTTP as well. Aside from the performance benefit, it also helps if people monitoring my internet traffic (my ISP, NSA, Putin, Zuck etc.) reads Paul Graham and they may get enlightened. May not seem much but it is actually one of the few steps humanity is taking towards world peace.
The certificate will expire some day and then there will be a huge uproar about it with solutions/advise without knowing the full setup.
While being satire, this page makes some good arguments - http://n-gate.com/software/2017/07/12/. You will need to copy the link and paste it into a new tab, as it blocks HN refers.
> You will need to copy the link and paste it into a new tab, as it blocks HN refers.
I opened the link from inside Firefox just fine. YMMV.
I opened the link from inside Firefox just fine. YMMV.
> You will need to copy the link and paste it into a new tab, as it blocks HN refers.
I love that website and didn't know about that until now. Now I love it even more.
I love that website and didn't know about that until now. Now I love it even more.