Frogesay
Back again on all that Web Sec nonsense.

Shaming the HTTP Zealots

As Slick Rick said in “Hey Young World”: “’Cause righteous laws are overdue, and this is a message that the Ruler Rick threw”. One of my righteous laws is to shame websites that operate in 2019 for not serving their content encrypted using HTTPS. The certificates are free. The compatibility is omnipresent. There is zero downside to maintaining HTTPS support. And yet, for some braindead reason I cannot comprehend, I still see at least a dozen websites a month not using this defacto standard of the Web. In favour of what? Fuck all, that’s what.

Listen, listen. If the fucking Space Jam website — yes, the Space Jam website from 1996 — can be bothered to purchase a certificate from Comodo over two decades since it was first launched, then your dipshit Internet startup with atrocious UI design can use one from Let’s Encrypt. Look at this shit! One of the websites linked from that page is in HTTP only! Thanks for maintaining some semblance of nobility, but fuck me. Imagine making fun of bad design and then having the website itself be unmaintained.

Look. I’m not going to be your Serra Angel and espouse to you the virtues of making the browsing sessions of you and your users more safe and secure. I assume you’ve already looked at the advice given to you by Google, Cloudflare, Ars Technica, Mashable, How-To Geek, this random single-purpose website, and the United States Chief Information Officers Council, and have decided that, for whatever reason, you’ve decided to disregard it. It’s totally within your rights to be lazy, arrogant, or just plain stupid. But fuck you anyway. That’s my right to say fuck you. Unless you’re the people who develop APT, which is a different use-case entirely.

I remember way back in the day when Neocities (which is my Web host for you uneducated schlubs) did not use SSL by default, which would convert all traffic to HTTPS, and users who typed in “froghand.neocities.org” wouldn’t be redirected to the HTTPS version. So to compensate for that I had a banner at the top that linked to “https://froghand.neocities.org” and directed my fans to click on it whenever they first join the website, because then that would cause the rest of their Froghand-browsing to be encrypted. The Man With The Power In His Hand eventually changed this on New Year’s 2017, leading to incredibly minor layout breakage for people who designed their websites shittily (👀️ eyes emoji), and absolutely no consequences otherwise.

Also, shout-outs to this blog post that features 10kB in a picture. I never knew I would be a part of Neocities history, but here we are…

Yes, I’m making this an article instead of a hangover because you FUCKS need to LEARN to USE the FUCKING INTERNET. Although if you’re reading this right now and you haven’t physically printed it out on paper or handwritten it in goatskin, then you surely know how to use it in some capacity. I’m talking about those who claim to wrangle the Internet by merely throwing up a website and thus claiming they have free reign to do whatever they want with it. Yes, they do. But they don’t have to shit up the joint by doing so.

Just as an example, here are some examples of sites who use HTTPS, and some examples of sites that don’t. See if you can find a pattern.

Wall of HTTPS Goodness

Fanfiction.net. This website is ancient. It’s the premiere repository for the absolute excess of the Internet. There’s so much shit on here that you’d be afraid to even be looking at it. While it won’t hide the fact you’re connecting to this website, it will hide the fact you’re reading Garfield of the Galaxy: Infinity Wars. Damn, ShakespeareHemmingway. You fucking madman.

Fimfiction. Why is some of the best Web design on the Internet from a My Little Pony fanfiction site? It may be home to the unholy tag combination of “Human”, “Random”, and “Slice of Life”, but at least we can browse our shitty isekai in style. Also, holy fuck, a Human in Equestria story with 650,000 words? I guess J.K. Trolling was right when she said fanfiction was a waste of talent.

Neocities. THANK. FUCK.

Mr. Money Mustache. The Internet’s best source for not-so-serious financial advice demonstrates both his technical prowess and money savoir by using a Let’s Encrypt certificate. So, there you go, poor folks. It’s Money Mustache Approved.

Cinemassacre. Now this is a blast from the past. Somewhere along the way whoever is in charge of the Cinemassacre website decided to get a certificate from Comodo and make sure we can browse Mr. Rolfe’s neglected blog in peace.

Hall of HTTP Plus-Ungoodness

Better Motherfucking Website. Considering how Even Better Motherfucking Website, The Best Motherfucking Website, an imposter claiming to be in actuality The Best Motherfucking Website, a rogue appearance from Motherfucking Webapp, and Perfect Motherfucking Website all have valid HTTPS certificates, I think you have some improvements to make. Even the original Motherfucking Website has a certificate! What the fuck are you waiting for! Secure Motherfucking Website is dabbing on your grave!

Every Fucking Website. Although it can be said the purposeful shittiness is a part of the satire, it’s not relevant or funny considering most of these shitty startup websites do use HTTPS. Ironic. It could protect others but not protect itself.

tasvideos.org. Listen. The people on TASVideos are smart. Real smart. So I’m sure it occurred to the administrators of the single most important resource, if not the only relevant resource, on TASs and TASing that it might be a good idea to make their website a little less susceptible to Man-In-The-Middle attacks as committed on their unsuspecting audience. The fucking LOGIN PAGE isn’t even secure! What the fuck! Are you hosting your passwords in plaintext, too?

Logical Increments. It’s been half a decade since the premiere PC builder’s guide first launched, and it still doesn’t redirect users to the HTTPS version of the site. Wanted to type in “logicalincrements.com”? Fuck you! Session hijack time!

You’re The Man Now, Dog! Not anymore, ever since it became irrelevant around the turn of the decade, faded into obscurity, and was missed by few people when it finally shuttered its doors. Throughout its existence, this relic of the Web had its users look at shitty memes and unfunny fads in complete transparency, with no encryption to be found. Truly, this is The Winter of Charlie’s Discontent. Yes, that does have 36 views. Don’t @ me on th@.

The Conclusion

The pattern is that there is no pattern because HTTPS is so spottily applied across the Web that I could take ten random-ass dipshit websites and find varying degrees of security regardless of their content or importance. Even for ultimately flippant websites like YTMND, the content of the service is ultimately irrelevant to the simple fact that all communications, barring incredible impracticality, should be encrypted to maintain the security, authenticity, and confidentiality of those who use them. If a My Little Pony fanfiction site has better Web design and security practices than you, then there is no excuse for your California-based Internet Startup who’s trying to take themselves seriously.

Fucking do it you fucking code monkeys piece of shit motherfucking ass cocksucking sons of bitches who piss and shit in your mother’s mouth.

Please.