It’s definitely not the case that it’s useless. A MITM can embed malware into the page it returns if you aren’t being served over HTTPS. It’s not just about snooping on sensitive data going one or both ways, it’s about being sure that what you’re receiving is from who you actually think you’re receiving it from.
(Edit to add:) I actually went to look at some of the rest of the site and it confirms what I suspected: not using HTTPS here puts the reader at risk. Because this website provides code snippets and command line snippets that the user is to run, by not presenting it over HTTPS, it becomes susceptible to malicious MITM editing of the content.
Could be intercepted, since it’s not being served HTTPS, and be replaced with utf-8 lookalike characters that really downloads and runs a malicious ruby script! Even easier, perhaps, they could just insert an item into the bulleted list that has the user run a malicious command.
HTTPS is not just for security of personal or private information. It is also for verifiable authenticity and security in contexts like this.
Indeed. See my edit on the parent comment–I noticed that the website provides commands to the user to run, which makes it ripe for MITM attacks: if the user is copying-and-pasting commands to run into their shell, those need to be served over HTTPS.
It’s definitely not the case that it’s useless. A MITM can embed malware into the page it returns if you aren’t being served over HTTPS. It’s not just about snooping on sensitive data going one or both ways, it’s about being sure that what you’re receiving is from who you actually think you’re receiving it from.
(Edit to add:) I actually went to look at some of the rest of the site and it confirms what I suspected: not using HTTPS here puts the reader at risk. Because this website provides code snippets and command line snippets that the user is to run, by not presenting it over HTTPS, it becomes susceptible to malicious MITM editing of the content.
For example, this line on the site:
Could be intercepted, since it’s not being served HTTPS, and be replaced with utf-8 lookalike characters that really downloads and runs a malicious ruby script! Even easier, perhaps, they could just insert an item into the bulleted list that has the user run a malicious command.
HTTPS is not just for security of personal or private information. It is also for verifiable authenticity and security in contexts like this.
Yeah, it’s also easy enough to set up that a coding website not doing it is almost embarrassing.
Indeed. See my edit on the parent comment–I noticed that the website provides commands to the user to run, which makes it ripe for MITM attacks: if the user is copying-and-pasting commands to run into their shell, those need to be served over HTTPS.