So, I’ve moved my blog back to a low-cost hosting service running WordPress rather than using AWS services to very expensively host some HTML.
In doing so I’ve been dealing with setting up the hosts using cPanel and DNS etc.
It’s all the usual issues of updating a thing, waiting for it to propagate before the next thing can be done. Nothing out of the ordinary.
Now, because its 2022, there’s a lot of SSL/TLS certs involved on the new hosting, because SSL Everywhere is a thing, and you’ve got to be serving your HTML (i.e., this blog) over TLS because, well, security.
And the security involved is transit security, that humble plain text HTTP request, passing over that binary level TCP connection, which exchanges text (Encoded Images, JavaScript, HTML) which must be protected from those intercepting the HTTP request, along with whatever information I send the other way (such as filling in a comments form). This data must be encrypted with strong encryption, just in case any person who couldn’t reach the site themselves by simply typing it in the URL of their own browser, gets to see what I’ve publicly put on the internet.
Now, of course its more complicated than that, TLS is also protecting me as I write this blog post, in the admin area of WordPress, having just logged on with a form submission of a login form and so forth, so, that might be something that attacker would gain advantage from intercepting.
But who is hanging out on routers, performing Man in the Middle (MITM) attacks to intercept millions of TCP packets in order to redirect this content for their own nefarious purposes.
Well, not many, I assume. Given I haven’t heard of a publicly described MITM attack being undertaken. I assume they do occur, but in dark corners of the net, for specifically targeted reasons and using compromised infrastructure (I.e., National Security reasons).
No, the most likely way you have things taken from you isn’t a MITM attack, it’s because you went to a website, and you literally typed your private information into it because you thought it was your bank or your telco.
And why don’t you realize it’s not your bank?
Because, it’s got the little padlock, and you think its secure, failing to read the characters to the right, or if you do read them, understanding what they mean.
Nowdays SSL certs are autogenerated by publicly available certificate authorities, it’s an automated step as part of my hosting package, besides owning the domain name, I need no further proof to issue a cert in its name.
But back around 1996, getting an SSL cert cost you hundreds of dollars and involved you faxing (I’m not joking), your paperwork to an authority which did a background check on you (including calling and researching the company!), to see you were who you said you were.
So, the padlock did what it was intended to do, sure, it encrypted traffic to and from the server, but it also proved the identity of the server, and the organization behind it.
That seems to be lost these days, and it’s the only problem we should be focused on solving. In the meantime, we press onwards, with the illusion of security, and handing out padlocks like free trinkets.
And every time an SSL cert is generated for me through a button on web hosting, I think of this.