The URL that's supposed to redirect to HTTPS is still vulnerable to MitM. It can... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		deadowl on Aug 8, 2016 \| parent \| context \| favorite \| on: TLS Everywhere, not https: URIs (2015) The URL that's supposed to redirect to HTTPS is still vulnerable to MitM. It can be modified in transit to serve up the same data as the HTTPS URL, but in plaintext, and potentially with a different form action attribute, etc. There are different things that can help with that, but none of them universally protect privacy.

ckastner on Aug 8, 2016 [–]

That would mean HTTPS is not necessarily an improvement security-wise, but that does not explain how it "completely breaks the web" by "breaking links to".

To be more specific, I'm referring to the "Don't break the Web" section in the article.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact