|
|
|
|
|
|
by asciilifeform
1740 days ago
|
|
|
Author of linked article speaking. (How it ended up here -- I have no idea, I'm rather surprised that it was of interest to more than the 3 people for whom it was written.) This flame is doubly funny given how the article specifically concerns algorithms for possible decentralized cryptonets. HTTPSism is deliberately broken on my WWW, to annoy unthinking servants of the PKI Reich. For the thick: at the start, there is a PGP-signed copy of the text offered. And yes I in fact live and die by my PGP identity. And not Verisign et al's NSA-controlled PKI horror, no. |
|
|
Which shows you don't understand the problem.
HTTPS on content only sides is primary about preventing people with tampering with the website in ways which potentially can hurt you from just opening them. The increased trust-ability of the content is important too, but only secondary.
A PGP signed copy helps me to verify the content after I already fully loaded it with a lot of additional overhead.
It doesn't prevent JS injected into your side from being executed, does it prevent a injected http redirect to a fingerprinting site or similar (which e.g. could use non JS fingerprinting or potential non JS based RCE attack vectors, which luckily I haven't heard of in browsers in recent years but are not impossible at all.).
As long a browsers don't check the signature before loading/parsing any content it isn't secure.
EDIT: In general in 2021 using HTTS "doesn't cost you anything" (in the sense of nearly anyone can afford it), neither does it prevent you from still doing what you currently do (standing by PGP(oversimplified)) and being against the by now pretty much not-undoable not-decentralized HTTS infrastructure. But realism is a important part of security.