Reply to post:

Insecure web still too prevalent: Boffins unveil HSTS wall of shame

Nick Kew Silver badge

HTTPS isn't just about hiding the content. It's also about proving that the content is intact, as it left the source server, and that the source server is who they claim to be.

Sometimes that matters. Other times it really doesn't: who cares if it was some anonymous MITM who inserted your comment? And there are much-lower-overhead ways to achieve such goals: for example, the rarely-used Content-MD5 HTTP header offers a way to verify intactness of content against accidental damage, and similar use of a cryptographic signature such as PGP could protect where it really matters.

There are also legitimate reasons to rewrite content on the fly. My own involvement with such go back to about 2002 when I was working on accessibility tools, and provided a proxy that would rewrite elements of HTML on-the-fly to make it more readable to someone with a linear or text-only browser. Remove some of hurdles faced by blind users, or by Granny Arthritic who stands no chance chasing script-driven menus with a mouse.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019