@BryanLunduke I think you missed a point that resolves (or should) the false Certificate problem.
The solution has existed from late 2016 but it's recently becoming more adopted by major players, (I hope, alteast.)
I was actually speaking to cloudflare's engineers about its implementation recently.
This doesn't stop the other issues, but it's good thing to note for future reference: https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
@BryanLunduke certainly an interesting take. I think the largest problem is the hashing algorithms. We do need a community built one. That being said, true randomness is near impossible to do using computer logic. Dunno if you've seen Tom Scott's video on the matter at Cloudflare. Worth a watch
@BryanLunduke When you take your own HTTP website as an example and say it is as secure as an HTTPS one, it is simply wrong : HTTPS protects you from tampering. Anyone who visits your website (or any other HTTP site) is taking the risking of receiving an altered version, maybe with malicious code added.
It's too bad you didn't really discuss this issue :/
@BryanLunduke I feel like having to yell at you again 😉
Sure, some points in your video are correct, others are way oversimplified or plainly wrong.
1. Bad encryption is always still better than no encryption. full stop.
2. Not HTTPS is dangerous, NSA et al. & backdoors are.
3. Your website not delivering https enables MITM attacks with Payload injections permanently infecting users PCs. HTTPS on your website is NOT pointless.
I'll weigh in with my 3 pence worth
The danger of HTTPS is the lack of education in that that it is only one link in chain & over reliance on the green lock is misplaced
I relate HTTPS and HTTP to having a conversation in your own home and in a Bar.
At home you have a reasonable expectation of privacy & confidence in your environment, yet someone may still overhear or see the discussion taking place
In a bar an acquaintance could easily eavesdrop & disseminate the conversation
I work for a major UK retailer on the "product Q&A team"
While searching an answer, I located a Fake Clone site of my employers.
The Domain was similar official site. It ranked ranked higher in google search results.
It was an EXACT clone, in every sense, in fact it was "better" as was quicker & more responsive
My colleagues & manager did not notice it was fake - until I listed a few things, all commented it had the green-lock so must be ok..
The site was reported
@BryanLunduke in all of this negativity, I won't focus on HTTP vs HTTPS as far as protocols go. But I had no idea the the government had been involved. If there is one thing we've learned, that is that we can't actually ever trust a secretive government agency.
That said, after delving in deep on the exploitation side of the internet, I can justly say that it really doesn't matter anymore if you use HTTP or HTTPS. I mean some say that at least there is some sort of encryption, but that...
@BryanLunduke ... doesn't actually matter anymore. Thanks to the NSA/Govt-in-general it doesn't matter to the common black/grey hat if it is HTTP or HTTPS. The "S" doesn't change the ease of the exploitation very much. It just changes the method... sort of. I'm just saying, if you insist that you/your company needs the "S", you are misguided by what that means. To the black hat, it is the different between eating an apple and eating an orange. The method is different but you get the same results
@BryanLunduke Sorry, one more stream of consciousness.
@BryanLunduke is right in that the "S" is dangerous since it actually provides almost no benefit of security. It is an illusion. That is what the black hats rely on. That is probably 90% of an exploit/injection/whatever. Gaining trust is the only really essential tool in a black hatter's tool bag. The "S" stands for trust and that is why it's dangerous.
Don't trust the NSA/Govt/Google/Facebook/Anyone. They all lend to your false security.
@BryanLunduke One minor complaint with the video: HTTPS isn't necessarily end-to-end encrypted, it's status that way depends on context.
For example if your site was running HTTPS it would be end-to-end encrypted because the conversation's between us. But Facebook using HTTPS doesn't make it end-to-end encrypted as the conversation is between your aquintances using the site, not Facebook itself.
But then again, that's part of the point your video. HTTPS is only part of the solution.
@BryanLunduke Wow Bryan - you're better than this. I think you just got a bee in your bonnet over the NSA's involvement, even though the algorithms will have been independently audited.
Faking a cert is only easy if you obtain the key, or you have a dodgy CA. Either way, HTTPS stops casual eavesdropping on traffic, which is important.
I think this video is irresponsible at best and dangerous at worst, and I reiterate, you're better than this fear mongering click-bait