@eapl.me@eapl.me There is HTTPS but it doesn’t seem to be enforced. My browser always connects with TLS if it’s available and the message is present with or without TLS or extensions, even when using cURL. I would notice if my VPN service injected things like this because I disable JavaScript and cookies by default. I think it’s unlikely I’m being MiTMed because the certificate is definitely from Let’s Encrypt. Also, I don’t see the point in MiTMing me just to put a JavaScript challenge on someone’s personal website.
I still think it’s a hosting provider thing. It doesn’t really matter to me, I’m just curious.
@xuu@txt.sour.is I caught AT&T doing this last year. They were also hijacking DNS queries if I remember correctly.
@movq@www.uninformativ.de Today I learned this package is installed on my computer. Unnecessary dependencies are really annoying on Arch. If I switch to Gentoo this will be a major reason why.
@sorenpeter@darch.dk If I go to your website, it makes my browser complete a JavaScript challenge and send the result to a special location on your domain using a form called “wsidchk”. After I complete that I get a cookie and I can browse your website freely. It isn’t Cloudflare. I imagine it’s because I’m using a VPN service with somewhat disreputable IP addresses. Is this something your hosting provider does automatically?
@sorenpeter@darch.dk Looks good, but how come I have to enable JavaScript and cookies to “verify” my request? It doesn’t look like Cloudflare.