It feels like just yesterday I was paying for certs, or worst, just running without.
Can't believe its been ten years.
replies(1):
Can't believe its been ten years.
The lack of understanding from us as technologists for people who would have had a working site and are now forced into either: an oligopoly of site hosting companies, or, for their site to break consistently as TLS standards rotate is one thing that brings me shame about our community.
You can come up with all kinds of reasons to gatekeep website hosting, “they have to update anyway” even when updating means reinstallion of an OS, “its not that hard to rotate” say people with deep knowledge of computers, “just get someone else to do it” say people who have a financial interest in it being that way.
Framing people with legitimate issues as weirdo’s is not as charming as you think it is.
Safe transfer should be the default.
Your argument is akin to "I don't have anything to hide."
You just do it and don't think about it. Modern servers and services make this completely transparent.
The kebab guy doesn't need to worry about this as long as they're not fooled into buying from mala fide hosting companies who tries to upsell you on something that should be the baseline.
While we might be able to find common ground in the statement that "safe transfer should be the default", we will differ on the definition of "safe".
Unfortunately these discussions often end up in techno-babble. Especially here on HN were we tend to enjoy rather binary viewpoints without too many shades of gray.
Try being your own devils advocate: "What if I have something to hide?".
Then deal with that. Legitimately. Reasonably. Unless you are an anarkist I assume that we can agree that we need authoraties. A legal framework. Policing.
So I 100% support Let's Encrypt and what they have done to destroy the certificate racket. That is a force of good!
But I do not think it was a healthy thing that the browsers (and Google search results) "forced" the world defacto to TLS only.
Why? Look at the list of Trusted Root Certificates in the big OS and browsers. You are telling me only good guys are listed? None here are or can be influenced by state actors?
But that is the good kind of MITM? This then hinges on your definition of "safe transport". Only the anarkist can win against the government. I am not.
It might sound like I am in the "I do not have anything to hide" camp. I am not that naive. But I am firmly in the "I prefer more scrutiny when I have something to hide". Because the measures the authorities needs to employ today are too draconian for my liking.
I preferred the risk of MITM on an ISP level to what the authoraties need to do now to stay in control. We have not eliminated MITM. Just made it harder. And we forgot to discuss legitimate reasons for MITM because "bad".
This is not a "technical" discussion on the fine details of TLS or not. But should be a discussion about the societal changes this causes. We need locks to keep the creeps out but still wants the police to gain access. The current system does not enable that in a healthy way but rather erodes trust.
Us binary people can define clear simple technical solutions. But the rest of the world is quite messy. And us bit twiddlers tend to shy away from that and then ignore the push-back to our actions.
We cannot have a sober conversation unless we depart from the "encrypt everything" is technically good and then that is set in stone. But here we are: Writing off arguments as irrelevant.