[toomanythings2]

And when we visit your site for the first time, having never heard of you before, why should we trust you?

That's the point. Having some authority who did at least some minimal checking, to extensive checking, and who will verify you really are who you purport to be. Trust but verify probably plays a part in this.

But, remember, you don't have to go to HTTPS. There is no requirement for you to do so.

[mdiazcl]

> They trust me because of personal history

That does not mean that you know something about Security.

> ... why should we trust you?

That's exactly the point. This is INTERNET, we don't trust anyone, it's a dangerous place to do such action... but we have to, otherwise it's better to go a live up in the mountain.

So, I prefer to trust Symantec/Google/DigiCert/etc... instead of some small business that does not even know the meaning of updating software or change default passwords.

The chain of trust it's a burden, I know, why we should trust anyone? But there has to be some level of trust between two parties, and, if we can have a third one (Like an escrow) that can ensure that trust I think it's great. Even using asymmetric encryption you need to trust the other party's public key...

A quick example of an unencrypted, cert-less network, an unsecure one with tons of vulnerabilities is the SS7 and the GPS systems... Since they cannot add Certificates to their BTS (base transceiver station) or their satellites, because of roaming technology, it's quite easy to set up an antenna an spoof them[1] and have full control over you phone and GPS[2]

[1] https://julianoliver.com/output/log_2014-02-13_17-17

[2] http://permalink.lanl.gov/object/tr?what=info:lanl-repo/lare...

[5ilv3r]

I take cash, and always let folks try before they buy. :) I do have solid means of establishing trust. None of it has anything to do with technology security. Old school, baby!

That said, I am actually trying to move to a rather isolated place, and that is a perfectly valid option, so don't knock it.

[chongli]

Why should I trust you even if you have an HTTPS cert? All you needed to get one was a domain name.

[ssalazar]

People seem to be misinterpreting the intent of HTTPS; it doesn't give you any reason to trust a given site. HTTPS only verifies that the site you are talking to is in fact the domain name in the URL, rather than a government agency, ISP snooper/intermediary, or other man-in-the-middle attacker. Its up to you whether you trust the operator of that domain.

[5ilv3r]

Why should you trust me if you have never met me? If you like what I do, trust me, and please give me money. :)

Cert companies only do a phone call check for the very expensive EV certs. There is no minimal to extensive checking. That is a scam.

Web tech is all https now. I can't even browse a lot of https sites with some of my older devices. There is a requirement and I dislike it.

[Sir_Substance]

>There is no minimal to extensive checking. That is a scam.

You generally have to modify the root domain to host a random value in a text file the cert company gives you. This demonstrates that you have control of the domain.

Aka, minimal checking.

Granted, that doesn't prove that you're the domain owner, but if you aren't the domain owner and you've got enough access to pass that challenge, the real own has security problems a cert isn't going to fix so hey.

All things considered, it's a hell of a lot better than nothing.

[ademarre]

> Why should you trust me if you have never met me? If you like what I do, trust me, and please give me money.

What if a customer who trusts you returns to your site, but ends up on an impostor's site instead? He was no way to discern the difference.

[5ilv3r]

I would argue strongly that such users do not have those abilities even with https. A valid cert is a valid cert. My supporting point would be the major browser vendors recent backpedal on throwing mixed-content errors, demonstrating that a smooth ride for the user is far more important than safety to them.

Actually I called shutterfly.com on the phone about that mixed content issue. I emailed them screenshots of the error from 6 different operating system and browser combinations, from 3 other users even. They claimed nothing was wrong. They were serving javascript via http on an https page and told me I was wrong and needed to update java, for weeks, on the phone, in chat, and in email, and declined to send the report to their webmaster. Even those wanting to be trusted are incapable of using these tools, from what I have seen. The whole thing is broken.

[euyyn]

> I can't even browse a lot of https sites with some of my older devices.

What devices do you have that don't support TLS?

Also, the point is not to trust you or not, it's to trust that I'm actually talking to you and not a MitM.

[5ilv3r]

Libretto 50ct. If 301s from http:// to https:// didn't exist, then I wouldn't have anything to complain about.