ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Http vs Https Universally

<< < (3/4) > >>

I just don't see it, in all honesty.  If it were free... then that would be a different story.  There's the Let's Encrypt initiative... but until it arrives, I don't believe it.
-wraith808 (May 15, 2015, 05:40 PM)
--- End quote ---

It's here. Believe it. :)

The key principles behind Let’s Encrypt are:

* Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
* Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
* Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
* Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
* Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
* Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.-
--- End quote ---

The bottom line is that certificate based security is only as trustworthy as the companies responsible for the certificates. Companies generally, large companies in particular, and large security companies especially, are ultimately vulnerable to the whims of government actors. Look at how effective the NSA has been at undermining security standards without even bothering with bringing the coercive power of the government to bear.

I'm not saying that I don't use HTTPS everywhere possible, but I understand that it's like putting a band aid on a sucking chest wound. It addresses a handful of problems, but leaves the underlying issue untreated. I don't know what the solution is, but I'm absolutely sure it will involve a complete paradigm shift in how we handle trust relationships.

Amen to that! ...What "problem" are "we" trying to solve here?? MITM attacks...on what exactly?? It's publically available content ... So it would be an idiotic waste of effort to break into a stream of data that you could much easier just go read on your own. That's like encrypting all the billboards on the side of the highway so people have to get and be wearing very special - and very expensive - glasses to be able to read your advertisement messages. WTF is the point? ...Complexity for the sake of itself?? A placebo level of reassurance that people are then "protected" from an academic exorcise that nobody in their right mind is dumb enough to bother with?-Stoic Joker (May 16, 2015, 07:42 AM)
--- End quote ---
The point in encrypting everything is that encrypted traffic doesn't stand out - it's an act of solidarity. It makes dragnetting and mass-bruteforce-decryption harder.

Now, the whole CA system is massively broken, so yeah, nation states and sufficiently funded rogue actors won't have trouble getting a cert so they can pose as you - that can be detected client-side, though, by checking certificate fingerprints (and yes, it's problematic that certificates are usually generated by CAs - there's no guarantees they don't keep a copy of the private key part). But at least it's theoretically possible to guard against rogue certs, and I do use Certificate Patrol myself. It generates a lot of noise for regular web browsing, though.

Also, while it's easy enough for the big bad players to get an impersonating certificate, this will not allow them to decrypt past communications.

The point in encrypting everything is that encrypted traffic doesn't stand out - it's an act of solidarity. It makes dragnetting and mass-bruteforce-decryption harder.
-f0dder (February 20, 2016, 12:38 PM)
--- End quote ---

So I'm supposed to put out a not-insignificant amount of money as an act of solidarity?  Good luck with that one.

Once this letsencrypt gets a bit easier to use, I'll probably do it then.  But not before.

On letsencrypt, more and more hosts are adding it and using cpanel it is easier now but the problem is having non https external links and content on your site. It could potentially be lots of work after adding letsencrypt on an established site.


[0] Message Index

[#] Next page

[*] Previous page

Go to full version