Thread: Why no https???
View Single Post
  #6   (View Single Post)  
Old 9th September 2018
Funkygoby Funkygoby is offline
Fdisk Soldier
Join Date: Aug 2015
Posts: 57

It seems to me that https involves two distinct mechanisms. Please correct me:

1- The stream is (asymetrically) encrypted so no 3rd party can read or inject content.
2- You are garanteed to be visiting the right website through the use of "trusted" certificates. Each domain has his own certificate delivered by organizations.

With those 2 features combined, you should end up with a secure connexion to the legitimate website.

The problem is, we (internet users) are trusting a handful of organizations to be competent in doing the right things: provide certificates to the right people. So far symantec and trustico have comfirmed that, again, this is prone to failure.

The stream is encrypted but maybe not secure if the certificate is compromised.

To conclude, I am all for encrypted stream where it is needed. Regarding this forum, I am not sure. Is the login/password encrypted or plain text? My password is disposable after all. Steal it all you want I don't care and will just generate a new one.
Certificate OTOH is a false sense of secutiy IMO.
I like @tedu approach with his website: https with his own untrusted certificate that you have to accept once.
Reply With Quote