[phkamp]

HTTPS doesn't provide authentication. It only communicates authentication, and that is from the untrustworthy and widely trojned CA-concept, which is as broken as it almost can be.

There are other, far better authentication methods for things like emergency services, and I'd rather have unauthenticated information, than no information at all anyway.

You also don't need authentication to stop ISP's being stupid, for that Integrity is all you need.

[clinta]

As bad as the CA system is, I have not seen evidence that it's 'widely trojaned' or broken. The fact that a falsely minted certificate is such big news is evidence to the fact that it is working pretty well despite it's flaws. And it is certainly better than no authentication at all.

Obviously it's not perfect, but being not perfect is no excuse for refusing to use what we've got right now. And it's not a choice of unauthenticated information or no information, it's a choice between authenticated information and possibly wrong information.

Trusting ISPs to have integrity is in my opinion much more absurd than trusting CA's. CA's have a financial motivation to keep their CA status which browsers can revoke. ISPs have nobody keeping them in line.

[phkamp]

And you think NSA with their enormous budget and a mandate to collect "everything" looks askance at the CA's and go "Nope!" ?

Really ?

How many of the root-certs that are in your browser by default do you actually trust ?

What objective evidence is there, that any of them can be trusted ?

[faker_]

Nobody says that. We are all aware of that. But we shouldn't make it easier for our local ISPs or WiFi access operators to spy on us. Because those very probably don't have the CAs compromised.