I’d switch to another certiciate provider …
Comment on Is HTTPS a scam?
Dr_Satan@lemm.ee 4 months agoWhat if the issuer of the security certificate started charging you $1000 a year?
Why wouldn’t they?
cali_ash@lemmy.wtf 4 months ago
Dr_Satan@lemm.ee 4 months ago
Don’t play the fool.
If “charging $1000 for security certificates” became common practice (much like HTTPS) then you would be stuck paying it.
(And maybe there would be a “standards of behavior” clause in the security certificate contract too. lol)
You are now dependent on a third party gatekeeper. He can bend you over literally any way at all. He just hasn’t yet.
And that goes for the legal authority behind that authority too, of course.
cali_ash@lemmy.wtf 4 months ago
And if everyone would suddenly charge $10.000 for food, a lot of people would starve to death! Does that make grocieries stores a scam?
Your scenario is just absurdly unrealistic. Https and TLS are juststandards. No single entity controls them. If all the certificate provider would suddenly charge money, you’d have a bunch of new, free certificate provider the next day.
Dr_Satan@lemm.ee 4 months ago
But if you needed permission to be a certificate provider then you’d be stuck.
Once you are dependent upon that official certificate, upon that issuer, you’re stuck. At their mercy.
udon@lemmy.world 4 months ago
That’s a good theory sir/lady, and actually was the case until around 10 years ago.
Then Snowden happened, and we found out that the nsa is sucking all unencrypted traffic out of the net and into their databases.
Then letsencrypt happened and now you can get your certificates for free. Don’t pay 1000$. Letsencrypt is free and you can automatically update certificates. If your hoster doesn’t offer https for free, choose a different hoster.
ares35@kbin.social 4 months ago
there's still the very real possibility they're hoovering all the encrypted data, too. and storing the stuff to/from 'interesting' end points for later 'analysis'--that is, if they don't already have the current tech broken.
Dr_Satan@lemm.ee 4 months ago
Yes it’s free today. Maybe not tomorrow. And the fact remains that you need permission from a third party (basically a gov official) to have a website now. Doesn’t that trouble you?
brygphilomena@lemmy.world 4 months ago
You have the timeline backwards. That’s pretty much how it was untile letsencrypt hit the scene.
But the technology of https works even with a cert not from a trusted root issuer. You just have that annoying page to click through on web browsers.
Nollij@sopuli.xyz 4 months ago
Not THE issuer. AN issuer. All of your devices have a number of trusted top-level issuers (Root certification authorities). Windows has about 50 preloaded, and this list largely matches what you’ll find on Android, Mac, etc. Everyone’s been mentioning Let’s Encrypt, which descends from ISRG Root X1. But you can (relatively) easily get certs from Thawte, Verisign, and many others.
And if none of those are to your liking, you can install your own. Seriously, there’s nothing technical stopping you. Most corporate devices (Windows, Mac, Linux; Android or iOS; mobile, client, server) have the company’s root certs installed. The challenge for public trust is exactly that- Trust. You must operate in a way that is generally trustworthy.
Let’s Encrypt was actually pretty revolutionary. You aren’t entirely off base with your concern. Prior to that, getting a cert that was trusted by most devices was non-trivial, and came with an expense. But that wasn’t because of the desire for encryption. Rather, it was about verifying that you were who you said you were. These also served as proof of identity.
Shadow@lemmy.ca 4 months ago
Letsencrypt certs are free dude. Https literally costs you nothing.
Dr_Satan@lemm.ee 4 months ago
They’re free today. Maybe not tomorrow. But by then HTTP will have been “phased out” and asking the “security authority” for permission will have become common practice.
Shadow@lemmy.ca 4 months ago
They’re a non profit backed by a ton of major internet players, it’s not going to happen. letsencrypt.org/about/
What you’re talking about was already the situation before LE existed, we’re not going back to that. There’s other free providers now too.
Dr_Satan@lemm.ee 4 months ago
Ok. That’s a good argument. I didn’t realize that the forces for good here were so strong in this.
But frankly I’d rather not depend on them either.
z3rOR0ne@lemmy.ml 4 months ago
Just out of curiosity, what other trusted certificate authorities are there that offer ssl certs for free and no strings attached other than letsencrypt?