|
|
|
|
|
|
by geocrasher
1599 days ago
|
|
|
It's not about authentication. There is no misconception among any educated person that just because there is an else certificate means that it is a trustworthy site. All it means is that the information is encrypted in transit. Google prefers sites that have TLS certificates installed and so everybody gets one from let's encrypt for free. Therefore their SEO is better. The argument that if you create a key and put it on a VPS or shared service is effectively giving it to the service provider is true. But what does it matter. If you don't have an element of trust with your provider than where you hosting with them? And if you're that worried about it why not do full disc encryption on top of it all? |
|
|
It does not necessarily solve the problem. The provider could steal the keys in memory when the disc is accessed. Anyway, hosting stuff at home does not fully solve the issue: you still have to trust your machine's firmware / hardware. So… HTTPS should never be used?
The only guarantee HTTPS gives is that the communication between the client and the server is encrypted, not that the server is not compromised. HTTPS does not worsen the situation. Nobody should use HTTPS for authentication, that's not what it is for (edit: well, except the bit about domain ownership, agreed)