Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The way I see it there are 2 problems with HTTP

1. Allows passive snooping (not always a problem)

2. No way of knowing whether data has been tampered with (always a problem)

Would be nice if there was a way to stop 2 (e.g. checksum sent through HTTPS), but allowed the caching benefits of 1



TLS/SSL actually supports authentication/signing only, it's just that most browsers don't accept it by default: http://www.hamwan.org/t/SSL+without+Encryption


This seems to be the feature we need if browsers would support it.

I can see how this would cause issues in the "presentation", i.e., how could a browser warn a user that for this session your data is not encrypted (given expectations for pages served via https have already been defaulted to 'you are at the right site + data transfers are encrypted').


I thought that only protected against modification in transit though. Often, what you really want is to verify the content is what the original source intended it to be, rather than what the server sent. In that case, you want a mechanism for attaching a GPG-like signature to the content. It doesn't matter then if the content is delivered via mirrors, caches and HTTP. This would be especially useful for things like jQuery mirrors, where a compromise of the server would affect many sites at once.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: