rysiek ✅ is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
rysiek ✅ @rysiek

Found in :

"apparently people are getting around Chrome and Firefox telling everyone that non-HTTPS password fields are 'not secure' by just using regular text fields. they change the font on the text field to 'text-security-disc', which is apparently a font that exists of all bullets and looks just like traditional password fields."

How about instead of investing time and effort into schemes like these, you just ROLL OUT FOR FSCK'S SAKE!

· Web · 117 · 89

@rysiek
There's no excuse not to implement HTTPS anymore!

@MichaelBall @thomas @rysiek What is with microcontrollers with to less mempry and cpu speed for HTTPS?

@killerdicke Hmmm as a responsible human you should waste them ... ;-)

No, just kidding ... ;-) ... I'm aware of those tiny weak platforms, but you should at least find an adequate replacement for HTTPS.

@thomas @rysiek @MichaelBall @killerdicke I guess as long as you're not serving anything sensitive from those microcontrollers... But I'd always prefer to use HTTPS when able.

@killerdicke @MichaelBall @thomas you're telling me that this is an issue in 2017? Come on we have *phones in our pockets* that have 8 cores and 4GiB of RAM!

Upgrade your damn controllers.

@thomas @MichaelBall @killerdicke I mean honestly, if your controller is too weak to do HTTPS, it is too weak to handle anything even remotely sensitive.

@killerdicke @rysiek @thomas @michaelball  Microcontrollers with a web server running on them and serving it publicy? Sure, if you can do THAT, you can also do HTTPS. :D

@rysiek I think it's a nice show of how inherently meaningless are these security messages in the website view.

@pony they are not inherently meaningless. They *are* effective in pushing people to implement HTTPS.

Some people will always choose to do a stupid, and that's it.

@rysiek They don't mean anything if you can fake them, and you can.

@pony they mean that you either have to roll out HTTPS or fake them.

Since the amount of work to do the former is going down, more and more people will decide to roll-out HTTPS instead of doing a stupid.

@rysiek Problem is of course it is not stupid. Not providing a way to override such an intrusive warning for selected sites is a bad thing and it's no wonder people try to circumvent it.

@pony how is it a bad thing? How is sending credentials via pure HTTP a sane idea?

@rysiek That isn't really up for you to decide. I'm ok with the browsers switching to labeling http sites as unsafe, that sounds reasonable, but bastardazing the input elements (that actually have some defined behavior they need to adhere to), that's quite shitty. What are you going to do with it anyway, when you see it.

@pony complain to the damn admin. That's an indirect way of putting pressure on site admins. And apparently pressure is dearly needed.

You don't want your inputs bastardized? Fine! Roll-out HTTPS.

@rysiek Obviously, they are solving it. By using a different input field.

@pony still, most admins are solving it by rolling out HTTPS. the way I know is because the percentage of HTTPS sites is steadily growing. So, there's that.

@pony but if you have some other constructive ideas how to get website admins to get their heads out of their arses and roll out HTTPS, please share.

@rysiek Yes, people spending more effort working around browser warnings than it would take to deploy TLS still baffle me.

@kellerfuchs @rysiek
Thing is... if whoever is maintaining the site is willing to devote time to work around implementing HTTPS, then they probably shouldn't be maintaining that site.