Hacker News new | ask | show | jobs
by hsbauauvhabzb 2047 days ago
If my choices are to implement a security control which forces a layer of security, or forgo that security control so Alice can upload her Holiday pictures to a host which doesn’t support HTTPS either, I know which one I’ll pick. Alice should either host her photos on Instagram, or learn how to run letsencrypt.

The day where certs are no longer freely obtainable is the day another self governed free TLS provider will appear and force their way into the market by providing installers to inject CAs into system cert stores.

There’s always TOR if you disagree.
1 comments
dingaling 2047 days ago
> Alice should either host her photos on Instagram, or learn how to run letsencrypt.

Both leading to further centralisation of the Internet.

> by providing installers to inject CAs into system cert stores

That's already pointless on Android, user-installed CAs are ignored by default unless an app developer opts in to using them.

Once we go down this path there's no turning back to the user-centric Web of the 1990s / 2000s

link
hsbauauvhabzb 2047 days ago
> That's already pointless on Android, user-installed CAs are ignored by default unless an app developer opts in to using them.

And? App developers should opt in to ignoring transport security. I’m sure a bunch of Android shitware attempts to install CAs either via user interaction or exploitation.

> Once we go down this path there's no turning back to the user-centric Web of the 1990s / 2000s

The landscape we live in now is very different to then. I’m all for a free web, but not at the cost of security. The web is now a multi billion trillion dollar industry. Weakening security just so Bob can see Alices’ holiday pics in situation where Alice can’t figure out letsencrypt, is frankly unhinged.

If you want a ‘free web’ you’re welcome to disable any HTTPS enforcement and disable TLS cert checking entirely. Hell, fork a browser, be very clear about the security weaknesses and publish on github if you feel that strongly, I’ll even star it for you.

link
CamperBob2 2046 days ago
The web is now a multi billion trillion dollar industry.

Maybe your web service is, but mine isn't. Mine is a specialized embedded device server that now has an expiration date for no reason on God's green earth.

link
hsbauauvhabzb 2046 days ago
Feel free to fork Mozilla codebases if you disagree with fundamental security concepts.
link