[macspoofing]

>how are we to trust that for example Version or Thawte are not influenced by the likes of NSA and make possible for them to decript our traffic with ease

Abandon all hope that HTTPS will safeguard you from the NSA or any major foreign intelligence agency.

[rdavl]

And with that I absolutely agree.

So what is the level of paranoia that SSL is useful for? Since this is what the article says:

> Encryption makes it more difficult for governments and other third parties to monitor your traffic. It also makes it harder for Internet Service Providers (ISPs) to censor access to specific Wikipedia articles and other information.

And we agree it doesn't really help with government surveillance?

Do ISPs randomly censor access? Or do they again do it on government requests. Cos if government finds that your site needs censorship why would they not just block the whole site? Another thing that is harder for ISPs to do with SSL is caching.

Maybe I'm not brightest child on the block so I'm still struggling to figure out what is a benefit of having HTTPS everywhere.

And having the likse of Google punishing non SSL sites just makes this fad worse. I don't need SSL on StackOverflow, Django or Python documentation. Does anyone?

[comex]

HTTPS does help with government surveillance. It won't save you if the NSA is targeting you individually, to the point where they're prepared to use targeted active exploits whose detection and identification would cost them both technically and PR-wise... but it will prevent (some of) your data from being passively vacuumed up en masse along with everyone else's, which for most people is a more pressing concern.

Well, unless the NSA has some magic passive SSL strip attack, which is not out of the question, but very unlikely.

[lcswi]

Yes, I believe I do. It is no ones business but mine and the site's what I am reading or contributing.

[rdavl]

Fair point, I am not pretending that everyone will have same requirements and oppinions. But even with SSL at least the domain is still visible. And in some cases there are ways to infer what URL you actually visited.

I also see companies using MITM successfully in a way that unless you check the cert your self it seems legit. I still use HTTPS when I go to Google but I can see the cert is spoofed.

And what about the people that don't care and are effectively prohibited from using a public data site at all since the site decided to use HTTPS only? Do way say we don't care about them? Since few years back we wanted our sites to be available to everyone, on old browser new browsers, mobiles and so on.

And having people smarter then me (like Roy Fielding) agreeing this does not do much for privacy rather content confidentiality (and actually making communication less private) is not making me any more convinced.

Bottom line, and I don't expect everyone to agree, is that I am all for using SSL even by default, but for public data I would still want to have access to it over plain HTTP.

I want/need that choice, otherwise we are hindering corporation employees and people living in the countries in which governments do massive surveillance. I think it is important for people to realise that SSL is not the ultimate solution for data integrity and specially privacy as it is often posed to be.

Thanks to all expressing your views in comments.