On Sunday, 10 June, 2018 14:27, George <g.lis...@nodeunit.com> wrote:
>I don't feel safer running HTTPS everywhere as Google wants with a >trust store full of certificates for companies, governments and >corporations I have never personally met or even trust by name nor >can I if I so desire disable when I want to. Or at least be given >a prompt trust or not to accept the certificates I only need >(I tried disabling all certs on my Android phone which made it >useless i.e. it had no network connectivity .... wat ... etc.) It is only a problem if you think HTTPS provides anything more than transport security -- that is if you place any value on third-party authentication (often by untrustworthy entities). If you treat HTTPS as it was originally designed (as engaging Transport security only) then there is no problem since there is no such thing as a "trusted certificate". >If you look at your network traffic for any major website you will >notice that well more than half of what is coming from CDN's blasting >commercial content and collecting any data they can all powered by >Google analytics and such. So more than half of my internet bill is >for that. What SSL does is to make it very hard for someone at home >to put a proxy and filter the junk that I am forced to pay for >whether I like it or not. I wish to ensure that my kid's Internet >browsing is not full of questionable content but I have too jump >carefully designed hoops by people working full time making sure >I am out of luck. If you care about your security then you run a browser (and/or a plugin) that disables all third-party cookies, frames, and a crapload of other cruft, including all javascript, dotSNOT, WebASM, and all the other crap that can infest web pages. This means that a vast number of websites will render improperly or not at all. At this point you have to decide for each feature you enable on that site (and each javascript or third-party you enable) whether the decrease in security is outweighed by the ability to view the website. Whether the execution of "arbitrary code from an unknown party" on your computer constitutes a hazard or not. Whether even allowing communication with a third-party is a hazard or not. I have done that for years, ever since the unwashed masses were permitted to connect to the Internet in the early 1990's. Whether the connections are HTTP, HTTPS, Web-Pages-over-Avian-Carriers or something else makes no difference. I do not trust anyone other than myself. In most cases I do not find the security trade-off worthwhile and if a web site uses javascript or other plugin crap, or especially if it is dependent on giving third-parties "free reign" to run/do whatever they please, then that site simply cannot be viewed. End of Line. (This also means running an ad-blocker, which I have done since the unwashed masses were permitted to connect to the Internet in the early 1990's). >The end result being less privacy and less security as everyone is >jumping the SSL termination band wagon and basically doing the MIT >that SSL was designed to avoid .... how ironic, hilarious and >ridiculous this all is.. Transport security increases the level of security since it prevents your ISP or other malicious poo-heads from tampering with the datastream during transport. This is a good thing. It is about the only thing that HTTPS (TLS) actually does. That is why it (and the protocol) are called "Transport Layer Security" and not "Trusted End-to-End Security". --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
