Settings

Theme

History of HTTPS Usage

jefftk.com

61 points by wpapper 2 years ago · 26 comments

Reader

Wowfunhappy 2 years ago

> This allowed for an enormous amount of things, but online shopping wasn't one of them. The problem was, sending credit card numbers over HTTP opened them up to theft: anyone between you and the server could keep a copy of your card information.

In the 90s, what exactly would the attack vector have been? I don't imagine AOL would have wanted to steal people's credit cards. I find it odd that this was viewed as a concern for credit cards but not website logins.

  • tialaramex 2 years ago

    People genuinely worried about this. If you go back to around the time SSL is announced, the media coverage says well, you can't really have shopping on the Internet because there's no way to secure credit card purchases. Clifford Stoll has a rant from around then in which he just plain asserts it will never happen, even though that's actually written IIRC after SSL shipped.

    A few years later it's much more about whether this is really going to take off, there's no doubt people can do it, but is there any desire? There's a BBC clip on Youtube from the era when Amazon is an exciting new business, it has a lot more different books in stock than any bricks and mortar store, but it doesn't have the enormous sales volumes compared to real world book stores yet, Bezos could just be another entrepreneur with an idea that sounds good - he isn't yet incredibly rich and so he also seems much less weird.

  • nitwit005 2 years ago

    While it's certainly possible the ISP could extract the data (and might be forced to by some intelligence agency), it was also possible to just listen to the data in transit. Remember that these were the days of people sending data over telephone wires.

    • ytch 2 years ago

      Other than eavesdrop, the biggest advantage of HTTPS for me is to stop nasty ISP that injecting advertisement or other code in HTTP page.

      • Doctor_Fegg 2 years ago

        Also the biggest advantage of HTTPS for any bigco whose business model relies on showing you _their_ ads and no one else’s.

      • chgs 2 years ago

        Can you not just choose a better ISP?

        • em-bee 2 years ago

          i think most people had the option to choose among two, or maybe if they were lucky three ISPs. only big cities had more, and the better alternative ISPs tended to be more expensive too. and since they were not exactly telling you in advance that they were going to do this and they often were locking you into one or two year minimum contracts, switching ISPs was and still is not a simple thing to do.

          • chgs 2 years ago

            How odd. I have a choice of dozens in the uk. If I remember back in the day you pups chose a subsidised isp (or even free) which worked by adding adverts into you web browsing. Some people were happy with that.

            Personally I pay more so that I have support via IRC, have an unfiltered view of the internet, have static IPs, no over subscribing bandwidth. not everyone cares about that so are happy to pay less to get less

            Why is there so little choice in your area?

      • diggan 2 years ago

        > the biggest advantage of HTTPS for me is to stop nasty ISP that injecting advertisement or other code in HTTP page

        Huh? This was/is a thing? I've never seen that from a home ISP I think, only early on in airport's public WiFi and such. But a home ISP injecting ads into webpages? What country was/is this in?

    • chgs 2 years ago

      People routinely ordered by phone, reading out the card number to the person on the far end.

      • gsck 2 years ago

        People still do. On average the people that do are older, but it still happens.

        Unfortunately there is no real way to do properly secure telephone payments, stuff like PCIPal just moves the payment information from the caller speaking it out and it being entered into whatever payment gateway the call agent is using to doing it automatically via DTMF but its all transmitted the same way.

        You just need to hope the call centre you are phoning into is setup in a way that the agents can't exfiltrate that payment info (No phones, no paper, no access to anything they shouldnt have access to)

      • diggan 2 years ago

        I'm fairly sure this still happens. In 2013-2014 I worked for a company that does outsourced customer support and I worked in the department that handles customer support for logistics in a very famous fruit/computing company, via telephone.

        If people ended up buying things from me, the standard practice was for them to read out their credit card details so I could purchase things for them, in their name.

        • Wowfunhappy 2 years ago

          It absolutely is still accepted practice. I purchased a hotel reservation by phone mere months ago. Hyatt's website was giving me an error during checkout, so I called them, and they took down my CC over the phone.

          This is why I find it strange that the idea of sending CC information over a dialup phone line was seen as unacceptable.

          • diggan 2 years ago

            > This is why I find it strange that the idea of sending CC information over a dialup phone line was seen as unacceptable.

            Simple, new technology is scary, no matter how "safe" it actually is in reality (or not).

            Douglas Adams:

            > 1. Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works.

            > 2. Anything that’s invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it.

            > 3. Anything invented after you’re thirty-five is against the natural order of things.

            • mixmastamyk 2 years ago

              Yes, new and scary. But I remember the evening news planting the idea that it was (more) dangerous to the public. Took years for that to dissipate.

          • nitwit005 2 years ago

            It's more secure now, as newer forms of phone communication are generally encrypted, and even the hotel's phone system may be encrypted.

            Of course, you can probably sit there with a nice microphone and record the front desk to hear those calls.

    • Wowfunhappy 2 years ago

      > it was also possible to just listen to the data in transit. Remember that these were the days of people sending data over telephone wires.

      It's that easy to tap a phone line?

      Mail order services will take credit card numbers over the phone verbally, right? Why was that considered safer?

sureIy 2 years ago

The funniest thing about HTTPS is that its transition/enforcement exposed a lot of people who don’t understand why we need HTTPS everywhere, even if there are no logins (!!!)

To this day, if you open Twitter, Facebook Groups or Discord, you’ll find people complaining about Google forcing HTTPS down people’s throat.

  • em-bee 2 years ago

    one of my biggest regrets is that in the early 2000s when i was contributing to a webserver project i suggested that we should not allow people to log in via http but instead enforce https for that. or rather, use https for login content and http for public content. the devs liked the idea and promptly implemented it with the result that while it now was no longer possible to log in via http the server also could not show public content over https.

  • curated4ever 2 years ago

    Plenty of them here on HN too.

kalleboo 2 years ago

[2018]

ViktorRay 2 years ago

Makes me wonder what the history of HTTPS is on Hacker News. Does anyone know?

Perhaps the dang (the moderator of Hacker News) knows…

Keyboard Shortcuts

j
Next item
k
Previous item
o / Enter
Open selected item
?
Show this help
Esc
Close modal / clear selection