What if the issuer of the security certificate started charging you $1000 a year?
Why wouldn’t they?
Comment on Is HTTPS a scam?
cali_ash@lemmy.wtf 9 months ago
No it’s not.
And it’s not really like the TSA on the airport. It’s more like “having a door on your plane” security.
Dr_Satan@lemm.ee 9 months ago
Shadow@lemmy.ca 9 months ago
Letsencrypt certs are free dude. Https literally costs you nothing.
Dr_Satan@lemm.ee 9 months ago
They’re free today. Maybe not tomorrow. But by then HTTP will have been “phased out” and asking the “security authority” for permission will have become common practice.
Shadow@lemmy.ca 9 months ago
They’re a non profit backed by a ton of major internet players, it’s not going to happen. letsencrypt.org/about/
What you’re talking about was already the situation before LE existed, we’re not going back to that. There’s other free providers now too.
cali_ash@lemmy.wtf 9 months ago
I’d switch to another certiciate provider …
Dr_Satan@lemm.ee 9 months ago
Don’t play the fool.
If “charging $1000 for security certificates” became common practice (much like HTTPS) then you would be stuck paying it.
(And maybe there would be a “standards of behavior” clause in the security certificate contract too. lol)
You are now dependent on a third party gatekeeper. He can bend you over literally any way at all. He just hasn’t yet.
And that goes for the legal authority behind that authority too, of course.
cali_ash@lemmy.wtf 9 months ago
And if everyone would suddenly charge $10.000 for food, a lot of people would starve to death! Does that make grocieries stores a scam?
Your scenario is just absurdly unrealistic. Https and TLS are juststandards. No single entity controls them. If all the certificate provider would suddenly charge money, you’d have a bunch of new, free certificate provider the next day.
udon@lemmy.world 9 months ago
That’s a good theory sir/lady, and actually was the case until around 10 years ago.
Then Snowden happened, and we found out that the nsa is sucking all unencrypted traffic out of the net and into their databases.
Then letsencrypt happened and now you can get your certificates for free. Don’t pay 1000$. Letsencrypt is free and you can automatically update certificates. If your hoster doesn’t offer https for free, choose a different hoster.
brygphilomena@lemmy.world 9 months ago
You have the timeline backwards. That’s pretty much how it was untile letsencrypt hit the scene.
But the technology of https works even with a cert not from a trusted root issuer. You just have that annoying page to click through on web browsers.
Nollij@sopuli.xyz 9 months ago
Not THE issuer. AN issuer. All of your devices have a number of trusted top-level issuers (Root certification authorities). Windows has about 50 preloaded, and this list largely matches what you’ll find on Android, Mac, etc. Everyone’s been mentioning Let’s Encrypt, which descends from ISRG Root X1. But you can (relatively) easily get certs from Thawte, Verisign, and many others.
And if none of those are to your liking, you can install your own. Seriously, there’s nothing technical stopping you. Most corporate devices (Windows, Mac, Linux; Android or iOS; mobile, client, server) have the company’s root certs installed. The challenge for public trust is exactly that- Trust. You must operate in a way that is generally trustworthy.
Let’s Encrypt was actually pretty revolutionary. You aren’t entirely off base with your concern. Prior to that, getting a cert that was trusted by most devices was non-trivial, and came with an expense. But that wasn’t because of the desire for encryption. Rather, it was about verifying that you were who you said you were. These also served as proof of identity.
nxdefiant@startrek.website 9 months ago
This is the best analogy I’ve ever read, bravo.