Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

HTTP: here is the length (response header) and here is the payload transfered with checksums (tcp). HTTP has quite good integrity of the data you requested.

If you mean HTTPs is great to check if it's coming from the right server (identity/authority) then well, see how well the CA system works and how weak certificates really are (e.g. "Ron was wrong, Whit is right"). You can work around that by doing certificate pinning (see google chrome for example) and stuff like that, but in that case I'd already be better off signing the payload and sending that as part of the response.

The scientific institutes of germany worked around all the CA headaches by becoming an intermediate CA (see who signed https://www.pki.dfn.de/ ). I'd just expect more intermediate CAs popping up as a result of HTTPs only which will weaken HTTPs even more.

(And yes, I'm using https everywhere and would enable https for just about every site, except e.g. for linux iso downloads and alike)



HTTP has quite good integrity of the data you requested

Not for the values of "integrity" that include the possibility of intermediate tampering. You have no indication that the request received by the server is the one you sent, nor the response that you received is the one that the server sent.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: