Re: HTTP has got to go
You typed all that just to be wrong? Wow.
HTTP is acceptable for nothing, not even static pages.
Only a sith deals in absolutes.
There are in fact usecases where plain HTTP is acceptable, and in fact entirely unavoidable. Thankfully they're becoming less common, but they do exist.
For example, I have a script/service that checks whether your ISP is intercepting HTTP connections (by, for example, passing them through a transparent proxy), whether they're messing with the data in any way, whether they cache (and if so, have they protected against cache poisoning attacks etc). That absolutely has to happen over port 80, because it's HTTP traffic that they fuck with.
Now, obviously that's a fairly obscure use case, but my point is this: When it comes to IT Security, if you speak in absolutes then you're likely as much of an idiot as you think the guy you're "correcting" is.
HTTPS is too easily brushed off by many people, but you do no-one any favours by being a die-hard about it. Especially when your response seems to not only assume that Port 80 is only ever used by a browser, but completely misreads the apparent intent of the post you were responding to.
Security starts by not blindly trusting on automated tools, and using that grey blub between your ears to think things through instead. Too much reliance on security tools such as HTTPS can create a massive risk in itself.
He's more right than you are ;)
Simply enabling HTTPS isn't enough (though it should be a first step in the absence of a strong case against it), but we've got to break this idea that users have developed that HTTPS means the site is safe. It's a dangerous false sense of security.
All the cert check actually does is verify that the server you're speaking to is authorised to speak for the domain you connected to. It doesn't make hs.bc any more legitimate.
Biting the hand that feeds IT
