I feel a bit of dissonance on hn on the issue of https. On issues of surveillance and spying the responses are often measured and there is generally a balanced debate, and yet on ssl suddenly its a matter of extreme urgency with strident positions backed up by references to mitm, spying and isp injected ads.
This is not as urgent a matter as some here tend to make it, better to resolve it properly than rush into half baked solutions like Google shaming websites. Why should a private company have the ability to shame websites and drive decisions a certain direction without any consultative process and accountability. Surely these are decisions for industry groups and wide consensus, and not individual corporates driven by self interest.
Corporates routinely mitm ssl traffic and no one is shaming them or the equipment makers for that, so ssl and mitm is hardly going to be problem for state actors. For protection against less influential actors, banks and those who process sensitive data have been on https for a long time now so where is this urgency and the need to take action coming from?
Everyone agrees security is good but the mechanism to enable this cannot be given up to browser makers and CAs. This is a complete loss of end user control and a significant step back from the open net that cannot just be brushed aside.
Not everyone needs https and for ads injections the pressure should be on ISPs to stop the illegal behavior. Why can't we shame ISPs instead of forcing all websites to https?
Other solutions like signing content that empowers individuals rather than corporates and vested interests should be explored. The same browser makers went ahead and arbitrarily started flashing grave warnings on self signed certs without any consultative process or accountability.
This is not as urgent a matter as some here tend to make it, better to resolve it properly than rush into half baked solutions like Google shaming websites. Why should a private company have the ability to shame websites and drive decisions a certain direction without any consultative process and accountability. Surely these are decisions for industry groups and wide consensus, and not individual corporates driven by self interest.
Corporates routinely mitm ssl traffic and no one is shaming them or the equipment makers for that, so ssl and mitm is hardly going to be problem for state actors. For protection against less influential actors, banks and those who process sensitive data have been on https for a long time now so where is this urgency and the need to take action coming from?
Everyone agrees security is good but the mechanism to enable this cannot be given up to browser makers and CAs. This is a complete loss of end user control and a significant step back from the open net that cannot just be brushed aside.
Not everyone needs https and for ads injections the pressure should be on ISPs to stop the illegal behavior. Why can't we shame ISPs instead of forcing all websites to https?
Other solutions like signing content that empowers individuals rather than corporates and vested interests should be explored. The same browser makers went ahead and arbitrarily started flashing grave warnings on self signed certs without any consultative process or accountability.