This is just... false. Without SSL, static content can be MITM'd just like anything else. Don't believe me? Connect to the WiFi in any Starbucks and visit http://example.com. That redirect to the Starbucks WiFi login page certainly isn't being served from example.com...
Need to cross national borders for that, more than once.
> That redirect to the Starbucks WiFi login page certainly isn't being served from example.com
Also saw these things here in a couple of places. Most places here don’t charge for WiFi and have a single PSK key for all clients, but couple indeed ask for authentication this way.
I’m not sure how SSL helps? As a user, I don’t want to have access to WiFi blocked, I rather prefer redirects. Despite it’s technically MITM, it does the job i.e. allows to access the network.
> stop spreading misinformation about SSL
I have written that unless it’s credit card numbers or other sensitive content like e-mails or facebook messages, there’s very little security value in it, and it costs web sites owners. What exactly do you think is the misinformation in this statement?
If your site is vulnerable to a MITM attack you are not protecting your users and someone can serve them anything. The security risk isn't people reading your blog in flight, it is people injecting your blog with malicious scripts that can compromise your users.
Would you be happy if when I visited your website I was asked for my credit card details through a phishing scam? Not secure for me, not a good look for your site.
ISPs know IP addresses anyway, even with HTTPS. Same with DNS names.
SSL makes a lot of sense on web sites like facebook and youtube: users enter sensitive data there, servers serve terabytes of available content, not all of which is public, and even for public, the user’s selection is privacy-sensitive.
For a small static web sites, any person in the world can get their hands on all the content, that’s the whole point of public Internet. There’s no privacy-sensitive data in HTTP traffic to these sites, unless there’s google analytics, ads, or some other malware on that site.
Say you trust mrb on hackernews. He lists his website on his profile page. You go to that site. How do you know you are seeing what mrb wants you to see (his contact info). SSL.
This is just... false. Without SSL, static content can be MITM'd just like anything else. Don't believe me? Connect to the WiFi in any Starbucks and visit http://example.com. That redirect to the Starbucks WiFi login page certainly isn't being served from example.com...
Please stop spreading misinformation about SSL.