Hacker News new | past | comments | ask | show | jobs | submit login

> (it is not necessarily!)

HTTP traffic -is- necessarily insecure. It's trivial for anyone on your network to run Wireshark and see/modify all of your traffic. And a lack of HSTS leaves your site potentially vulnerable to SSLstrip.




And we have the first person to confound not having a .app with not encrypting the connection here. The comment you replied to did not imply that HTTP is not necessarily insecure, it said that you can (quite obviously) use HTTPS with any TLD.


The comment referred to Google flagging other content as insecure; Google does that for HTTP content, not non-.app content.

The problem is either the “not necessarily” part is wrong (in regard to flagging HTTP) or the criticism is directed at a fantasy that isn't actually occurring (in regard to flagging things that aren't .app). Either way, the criticism is defective.


Nope:

> Google throws down a few hundred grand to get the .app domain,

> in concert with modifying their web browser

> to deliberately mark others' traffic as "Insecure"

> (it is not necessarily!),

> and reaps the fees now

This is what patrickg_zill's comment said, just with some newlines and emphasis to make it more understandable. The not necessarily does not refer to HTTP, it refers to non-.app domains. And there is no "criticism is directed at a fantasy", there is a cynical prediction which is completely possible in all respects. You---or I---may think that that'll never be the reality, but regardless, that's what the comment said, and the other commenter misunderstood. I don't get why I get downvotes and criticism for this.


It still reads to me like they meant non-HTTPS connections, as that is what they mark insecure in concert with buying the .app domain.

They -could- have meant .app, but we'd need the guys word to know for sure. It's not as straightforward of a comment as you think it is.


That is probably because you want to understand it so. I give up, they completely meant HTTP vs. HTTPS...


I'm getting it from here:

> modifying their web browser to deliberately mark others' traffic as "Insecure"

I'm assuming the parent comment meant how Chrome marks HTTP connections as insecure; they're not marking TLD's that aren't .app as insecure.


I think the idea would be that Chrome would sooner or later mark non-HSTS sites like .app as 'half secure' or add a special extra greener bar for .app sites. Given Google's track record, I wouldn't really doubt it.


non-HSTS sites like .app

What?

add a special extra greener bar for .app sites

That would be really weird, considering that most Google sites are not .app, and would be quite a pain to change. Suddenly every competitor to their services get a special greener bar for a few bucks?


If I read correctly they meant the opposite, i.e. marked insecure if not .app.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: