this post was submitted on 06 Oct 2024
736 points (91.0% liked)

Technology

59438 readers
3536 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 7 points 1 month ago (1 children)

Apps don't use the system browser to connect to REST endpoints. Neither do they use the OS. Apps typically use a statically linked library. There are use cases for HTTP-only connections so it's unlikely that those libraries would mess with forcing or even warning its users that they've used HTTP instead of HTTPS. Point is Google and Apple can do little in this regard. Unless they scan apps' source code which could be possible to some extent but still difficult because URLs are often written in pieces.

[–] [email protected] 6 points 1 month ago* (last edited 1 month ago) (1 children)

Sure, I didn't say they use the system browser - I said the opposite. I'm saying the OS should be able to block non-HTTPS connections. If you have control of the OS you can control what protocols are used by apps, unless I'm missing something.

What cases are there for non-HTTPS? I can't think of any. It's 2024. All communication should be encrypted.

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

The OS interfaces provided to apps (generally POSIX) have no idea what HTTP is. They're much lower level than that. If an OS is to control what protocols are used by apps, it has to offer some functionality that does HTTP for the apps and apps have to use it. Unfortunately the only way to force that would be to disable the general OS interfaces so that apps can't just use existing libraries that use those. If you did that your OS would become useless in other ways that rely on the basic interfaces.

The other way the OS could do anything about it is to inspect network traffic going over its network interfaces. That would be a significantly different can of worms and it's not free in terms of processing power and therefore battery. Then you'd have the screams of privacy people that Android or iOS is looking at all network traffic.

So all in all, the OS isn't very well suited to police application level protocols like HTTP. At least not on devices whose primary purpose isn't network traffic related.