SSL / HTTPS

Are you a fucking bank or something? No? Then FUCK OFF with your fucking bollocks redirecting everything to HTTPS shite then.

I don't fucking care what drivel Google blethers about it. Or any of the dumb fuckers who copy their lead while being too dense to see through it. If your browser has some shitty feature that whines about websites being "insecure", turn the fucking thing off. It's not fucking "insecure". It can't fucking be insecure when there is nothing to fucking BE "secure" in the first place.

All it fucking does is provide yet another fucking thing to fucking go wrong; and it does go wrong, because the stupid bastards who try and configure it don't know how, and the result is that instead of being able to read their website in the unimportant absence of some spurious "protection" against a threat that doesn't exist, you just can't fucking read it at all, and this is shit.

Or some system update brings in a new version of the crypto libraries which is more fussy than the previous version, and all of a sudden a whole bunch of websites stop working because they haven't done their own update to whatever it is the new library version has started being fussy about.

Let us note to begin with that HTTPS does FUCK ALL to defend against spooks watching what you read on what websites, or to stop the police working out who it is who's asking on a chemistry forum how to make bombs. That idea is a classic how-not-to-do-secure-communications fallacy which was alive and well long, long before any kind of technological aid to encryption was invented (including writing). You don't need to crack the encryption at all to do that.

All it does get in the way of is someone understanding and possibly altering the data as it's actually going past. So let's look at how they might get at it in the first place.

So what it boils down to is that it's only a "defence" against something that is never going to fucking happen anyway, except in ways that make the "defence" irrelevant. In other words, it's a complete fucking waste of effort, like building avalanche defences in Norfolk.

The one person it is effective at fucking up is YOU. Far too often it simply doesn't fucking work because it's been configured by an incompetent cockend who has no fucking clue how to do it. And it gets in the way of wiresharking your own fucking data to help debug some dysfunctional piece of shit website that doesn't work or to see what evil fuckery it is getting up to. And so it can FUCK OFF.

What Google and the other fuckers are fucking doing is playing up this nonexistent threat in a piece of classic misdirection based around the desire of the ignorant for a magic bullet. They hawk up this idea of "you are safe as long as you've got SSL", and back it up with the spurious notion of the data being played with on the way past being the only significant threat as an unfortunately all too successful aid to blagging the not-quite-so-ignorant. It is in their interests to make people think that as long as the browser displays a padlock in the address bar there is nothing to worry about, because the real major threat is not the fucking transport, it's the fucking endpoints, and the reason this is the case is not spotty fuckers in mucky basements, it's the cunts who run the endpoints and the other cunts like Google who provide the materials for their cuntery.

Google want you to think that they are fanatically protective of your privacy and cough up spurious bollocks about "security" to help make themselves look like the good guys. The reality is they don't give a juddering fuck about your privacy and need to make you think the opposite so you don't worry about Google mail and Google docs and Google maps and Google bloody mobile phones and Google every other fucking thing having access to all of your confidential data to pry through and analyse and dig every fucking thing they possibly can out of until they know more about what you're doing and where you're going than you do yourself, in support of slathering you with FUCKING ADVERTS (all advertising servers should be nuked).

I don't give a toss about what they say they do and don't do. I don't give a toss about any of their statements or policies or agreements or any of their other stupid fucking propaganda shite. They can say what they fucking like: it doesn't mean they actually behave like that. They can do what they fucking like as well, and they can get away with it for as long as they can't be nailed in court, which they won't be because they control the fucking evidence. No matter that it's bleeding obvious to anyone who looks at them with more intelligence than a dumb-arsed blindly trusting idiot who believes everything anyone tells them and thinks you can trust any cunt who is making money.

Google are probably the worst overall because they're the biggest, but they are far from alone. Apple are worse within their "walled garden" (iron curtain would be more fucking like it) but at least you can avoid them by simply not having any Apple stuff, which is easy since all Apple stuff is complete dogshit in any case and always has been ever since the original Mac. Facebook and Amazon are other major cunts who get all over the place, infect other people's sites, and run all sorts of things you don't realise are part of them to extend their reach without exciting so much suspicion. And there are an absolute fucking swarm of lesser cunts who are without number and appear in multiple on sites here there and everywhere such that it's never safe to visit any site you haven't been to before without checking what resources it's using and making sure your blocklist is comprehensive enough to catch all the shite.

It's not "the NSA and GCHQ" spying on everything you do on the net that you have to worry about (and against actors with that level of resources, there's fuck all you can do even if you are worried about it except make them more interested in you). It's Google and Facebook and doubleclick and optimizely and hotjar and bunchofrandomletters.cloudfront.net and fuck only knows how many other little bits of shit you find in a webpage's scripts with names that look like they've been shat out of a dog's arse. Nothing to do with "hackers" or people spying on the wire as the data goes past. Everything to do with fucking wankers who put ten or a hundred separate bits of shite on their websites on the offchance of getting 0.00001p every time someone looks at the page. That's where the spying takes place: not "the spooks" but a horde of slimy little capitalist fuckers who are invited onto people's websites especially in order to spy on people who use them and who don't give a fuck what happens to the data they collect as long as someone gives them money.

Encrypting the connection does absolutely fuck all to defend against this threat because it's all shit that is deliberately served as part of the web page. And it's a genuine threat whose existence can be trivially demonstrated merely by looking at the source code of pretty well any fucking web page and observing all the evil bollocks on it (try an American newspaper's site). Encryption only has any effect against a fucking silly threat which is so much more difficult to do than shitloads of other more productive things that it basically just doesn't happen.

Moreover, encryption makes the real threat worse, by distracting people's attention from it, fostering unjustified trust in the principal perpetrators, and putting obstacles in the way of some important methods of detecting the shite and installing countermeasures. Blocklists can't catch all of it: some shite (and often especially nasty shite: recording all your browser events, for example) gets sent to the website's own domain, so you need to be able to filter the data sent out from the browser, which you can't do in the browser itself and which is a pain in the fucking arse to do outside the browser if it's all fucking encrypted.

So FUCK OFF with making your fucking website use HTTPS. You are NOT "improving security". You are just falling for the blag and assisting the efforts of various fucking wankers to fuck people up.

And fuck RIGHT off with this stupid fucking shite of forcing people to use your website over HTTPS by redirecting every plain HTTP request to HTTPS. Which then doesn't fucking work because your fucking certificate is fucked. Or indeed quite often because your redirection is fucked and goes to a different fucking page or goes to a page that doesn't exist or drops the query parameters off the URL or some other bleeding stupid error. I have NOT gone to the HTTP version of the URL by some kind of fucking "mistake". I've done it as a deliberate choice because the fucking website does not fucking need to be fucking encrypted for fuck's sake. Your server is perfectly well capable of responding over plain HTTP if you just take the stupid fucking redirection directive out of your .htaccess (or something equally simple), so fucking DO IT and next time don't put the stupid fucking redirection in in the first place.




Back to Webshite


Back to Pigeon's Nest


Be kind to pigeons




Valid HTML 4.01!