undefined | Better HN

0 pointsFnoord8y ago0 comments

> Back in the early days you couldn't get a certificate without faxing in a copy of your business registration.

Well well, guess who could easily spoof that one.

> A certificate authority's digital imprimatur implied something substantial about the credibility of a site, however imperfect the process.

Not just the process. SSL downplay attacks and lack of certificate pinning already existed back in those days.

As long as those attacks are unknown you may still be reasonably secure against a MITM from a banana state government or a random ISP.

Also, lets not forget that running your entire website on HTTPS was expensive on resources before the 10s.

So the argument "because we can" makes sense. That doesn't mean all that information has to be encrypted. However, if you want to harm a surveillance state, then one act is causing significant noise. Uninteresting, encrypted data is noise and potentially yields plausible deniability.

The other argument is "because we have to". Different attacks have been demonstrated on that one: hostile networks such as ISPs injecting ads, hijacking DNS, open WiFi, impersonating fraudulent websites are just a few examples.

0 comments

1 comments · 1 top-level

wlll8y ago

> Well well, guess who could easily spoof [faxing in a copy of your business registration].

I worked for an ISP in 2000 and we had to both send and receive faxes on "company headed notepaper" as a means of authenticating a request. All you needed was a word doc with the company name in bold at the top of the page.

When we hit this particular bureaucratic speed bump (mostly dealing with domain name registrars), and having no "company headed notepaper" ourselves (we were 20 people) we just fabricated it. It always worked.

j / k navigate · click thread line to collapse