Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That is entirely untrue. HTTPS is just HTTP encrypted with TLS. The only parties that can decrypt the traffic are the people with the session keys: you and the website you’re visiting.


You are plain wrong.


How so?


Cause requests are often sent through any of the large third-party layer 7 reverse proxy networks that sits between the user and the origin host.


All they see is ciphertext unless they’re terminating TLS and forwarding your traffic on to the target website.


They are terminating TLS.


Not sure how this is a problem with HTTPS, then. It’s like complaining that AES encryption is broken because you have away your keys to a bunch of people.


It is a problem with HTTPS as it removes capabilities of HTTP without offering any other solution except terminating TLS.


What you’ve said so far has been generally confused and incorrect. I would suggest doing more research about HTTPS.


Says the guy who did not even know that all these reverse proxies like Cloudflare does TLS termination on the edge.


You’re glossing over that these third parties C are contracted trusted parties of entity B and thus for B’s purposes are considered part of B.

HTTPS and transport security isn’t a broken idea.

Standardized content security has been tried in many contexts and has typically been even less secure unless it’s for long lived opaque media, like S/MIME for emails. Structured data like XML security has been abysmal.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: