I’ve not read this yet, just passing it along, as it looks really interesting.
I’m not affiliated in any way with this.
ETA: If anyone has read it / bought a copy, a review would be very appreciated.
I’ve not read this yet, just passing it along, as it looks really interesting.
I’m not affiliated in any way with this.
ETA: If anyone has read it / bought a copy, a review would be very appreciated.
Hopefully the author explains how to use SSL/TLS since their site doesn’t :/
They do, via Traefik. Chapter 8.
Maybe they decided there was nothing that requires an SSL/TLS certificate on this particular site? (They accept payments elsewhere).
It’s because you linked to the site using http://. This is something the site should account for, but doesn’t.
How do you know that if you’ve never read it?
Because I clicked the link and read the link at the top which says “Code”. The book’s contents are open source. :)
Though I think everyone who can afford to and wants a copy should consider buying one. As an author myself, I know this author would prefer that option, but they’re being very cool by sharing the contents online too.
https://github.com/meonkeys/shb/blob/main/book/steadfast.asciidoc
The site does use https for me… it instantly redirects from http to https
Your browser is redirecting, the site is not.
That’s possible, I’m using Firefox, is that something firefox would do?
Yes, there is/was a setting for that, should be on by default.
I might have missed it, but it doesn’t look like their site accepts payment data, or has a login of any kind.
Why would the lack of SSL concern you?
Because it means my traffic to that site is in the clear. And while we’re not transacting anything sensitive necessarily. It’s still best practice to limit sniffing.
Automatically swapping to https should be default behavior for every website.
There’s no need to encrypt this data. Any entity that is watching you knows how to see the domains you visit, and everything on this site is on the main page, or a click away from it.
An SSL here is nothing more than security theater, or marketing.
Or like I already said… is best practice.
“Best practice” isn’t a catch-all rebuttal. Best practices are contextual. I’m keen to see your justification for encryption beyond “all sites should encrypt everything always”.
My assertion is that this isn’t necessary in this case. Why do you think that it is necessary to encrypt open-source, freely available, non-controversial site content?
The site is already available in HTTPS. Why would you even serve content non-encrypted?
If you need an education on the matter… Here you go. https://www.cloudflare.com/learning/ssl/why-use-https/
I don’t feel the need to be your teacher. You can easily google why you should always be using HTTPS. There’s numerous reason… all overwhelmingly obvious. Forget the basic “Not every ISP is an angel, and they all will collect as much information as they can get”. But I already said that… “It’s still best practice to limit sniffing.” Not sure why I need to elaborate any more on that. Very much akin to “why close your window blinds”, because nobody likes a peeping tom.
Ultimately for this specific website it’s literally changing a couple lines of code in their apache or nginx instance (or whatever proxy they’re using). It’s called best practice for a reason.
Edit: Hell it’s even a bit more of a guarantee that your site makes it to the consumer unaltered. Would be odd for that site to have it’s packets intercepted and midget porn be added to every page wouldn’t it? Think that would hurt the guys reputation?