[jnbiche]

> The NSA (or anyone else who can MITM https, such as my workplace, college, etc.) can effectively turn it into http, and see the content.

To be clear, unless NSA has some massive capabilities we haven't dreamed off, properly implemented HTTPS cannot be MITM'ed (via SSL stripping, or other means) by anyone who lacks access to your local machine. Specifically, by properly-implemented SSL, I mean:

1. Serving https only, no http

2. HSTS

3. Certificate pinning

The situation you mention regarding workplace computers is a little different from the NSA, since they have the explicit authority and ability to install root certificates on your local work computer. Without those root certs (like if you use a personal computer at work), they lack the ability to MITM your connection, assuming the above.

[bigiain]

If I'm the NSA, I'd already have stolen Protonmail's HSTS pinned cert's private key (possibly by burning a zero day getting into one of their web servers, possibly by "asking nicely" to some tech employee there for whom I had appropriate leverage).

But yeah - short of nation-state or very high level LEO (who're just piggybacking on their local NSA equivalent), HSTS with pinned certs is as close to "secure" as we have right now.

[ryanlol]

This is why we have HSMs.

It can in fact be "impossible" to steal ones crypto keys.

[bigiain]

Yeah, but "stealing" them isn;t the NSA's only avenue to acquire them. With Lavabit they just said "give us the keys so we can snoop all we want" - I suspect very few of us would be able to resist like Levinson did (as in, shut your company and livelihood down, and hope they don't throw you in jail for doing so). (Fortunately, most of us won't have users with as much heat coming down on them as Snowden, but if you're building _anything_ privacy related you owe it to yourself to consider how far you'd go to protect your users if one of them turned out to be another Snowden...)

[uncletaco]

"stealing" is the only path the NSA can take in the case of ProtonMail, due to their servers being hosted in Switzerland and not within the borders of a nation that has a strong relationship with the US intelligence community.

[bigiain]

I'd bet good money that the NSA can outsource this to their friends/counterparts/lackeys in any of five eyes, nine eyes, and fourteen eyes countries - and through less official channels involving local or flown-in thugs, pretty much everywhere else. They probably can't easily get Huawei's or Baidu's private keys, but I bet there's tens or hundreds of thousands of Protonmail sized companies in China/Russia/everywhere else that they _can_ strongarm the owners or sysadmin staff into handing keys over.

Or maybe I'm just in a way too "the whole world is fucked" mood today...

[chinathrow]

Only if you are sure the HSM isn't rigged from the start.

[deftnerd]

Another thing in the security tool chest is SubResource Integrity. If your JS is hosted on a CD you can put a hash of the expected JavaScript within the HTML script declaration. When the browser downloads it, it'll verify the hash before executing it.

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...