On Wed, Apr 17, 2024, 1:17 PM Marc <m...@f1-outsourcing.eu> wrote: > > > > > http is an insecure protocol. I don't want my website to run on > > http. So, I am hardcoding https in links in my website that refer to > > pages in my website. > > > > > > Now, I know that you will write why not redirect http to https by > > default. > > No because that is not relevant to me and what I would like to address. I > am even deploying https on tasks in private air-gapped environments. This > is not a discussion about whether or not https should be used and when. > > > > The problem with this is that if the website gets migrated to > > different provider and if people forget to redirect http to https in new > > setup then it will become a security problem. > > I know there are many idiots out there and your concern is very valid. > Most of the security breaches you read about is about such issues. > However, can you imagine the apache dev team thinking like you? Hard > coding everything to https? Can you imagine all http ports of tomcat, > httpd, jboss etc. being dropped? These people have been making rock solid > applications for decades they don't lecture others how to use or not use > https. > You will never match them in any way, why not follow their lead? > > > > Hardcoding https solves all issues. > > > > A few years back I had an argument with apple developers. They were having > in the build process of the calendar server openssl. The developers thought > for security purposes it would be better to include it in the build. This > resulted in that calenderservers were always having an old insecure > openssl, because the openssl updated by the distribution was not used. (and > nobody is going to build the application frequently) This is what happens > when application developers think they are security geniuses. > > The point I am trying to make is that you as an application developer > should be focussed on developing your application it is not your business > how this application is hosted. You should not concern yourself with things > you are not experienced in/with. Especially when it comes to something as > crucial as security. You are not removing ca certs from the trust store, > your are not setting secure ciphers, you are not setting limits on key > sizes etc. Why would you then even bother with https or http? > > With your argument you might as well hard code the domain name in your > application (like wordpress) and hardcode root name servers etc. > If you buy an egg in the store, it does not come with any requirement that > it should be used only for making cakes. Grasp this concept. >
Marc, I don't know what you are trying to prove by your points + you are insulting people for no reason. If you insult people, they may insult you back. Russia attacked Ukraine and Ukraine/NATO hit Russia back. The original discussion was about openssl commands and I think that since you don't know openssl commands, you should not have said anything. Let other people do what they want to do. If they want to hardcode something, why are you bothered. I will hard code https, its my choice. It has nothing to do with you. Now, you are saying to hard code root name servers, etc. which doesn't make sense. You are taking this discussion in all sorts of directions and I don't know what you want to prove. If you want to prove that you are a very smart person and other people are fools then for that you need to play chess with all other people and win all the games. You can invite wordpress idiots to play chess with you and then if you win then probably you can tell that person that he/she is an idiot. There are many people in this world who are very smart but they don't say that other people are fools - for example, Steve Wozniak, Larry Page, Knuth, etc. If people are asking for advice on PHP then advise them on PHP or don't say anything. Don't start advising them about Java. By the way, if you insult me, I will insult you back. GE
