[forgottenpass]

The case against the trendy push for "HTTPS always, no exceptions" is largely a set of corner cases everyone else is comfortable to ignore, so I'm glad someone is making it.

[clinta]

I have yet to see an opponent of https everywhere address the fact that https provides important authentication. Isn't it important that when you go to your governments emergency status page you see what they published rather than the emergency rick roll that my arp spoofing laptop served you? Are you okay with Comcast injecting ads and verizon adding supercookies to your sessions?

The none cypher provided this without encryption, but it's long been deprecated.

[phkamp]

HTTPS doesn't provide authentication. It only communicates authentication, and that is from the untrustworthy and widely trojned CA-concept, which is as broken as it almost can be.

There are other, far better authentication methods for things like emergency services, and I'd rather have unauthenticated information, than no information at all anyway.

You also don't need authentication to stop ISP's being stupid, for that Integrity is all you need.

[clinta]

As bad as the CA system is, I have not seen evidence that it's 'widely trojaned' or broken. The fact that a falsely minted certificate is such big news is evidence to the fact that it is working pretty well despite it's flaws. And it is certainly better than no authentication at all.

Obviously it's not perfect, but being not perfect is no excuse for refusing to use what we've got right now. And it's not a choice of unauthenticated information or no information, it's a choice between authenticated information and possibly wrong information.

Trusting ISPs to have integrity is in my opinion much more absurd than trusting CA's. CA's have a financial motivation to keep their CA status which browsers can revoke. ISPs have nobody keeping them in line.

[phkamp]

And you think NSA with their enormous budget and a mandate to collect "everything" looks askance at the CA's and go "Nope!" ?

Really ?

How many of the root-certs that are in your browser by default do you actually trust ?

What objective evidence is there, that any of them can be trusted ?

[faker_]

Nobody says that. We are all aware of that. But we shouldn't make it easier for our local ISPs or WiFi access operators to spy on us. Because those very probably don't have the CAs compromised.