Shamar
Follow

@rysiek@mastodon.technology

It’s not that simple.

In the article you liked explains

This is normally done through the target’s mobile operator, which some governments can access or control.

How many CA are state-run agency? How many CDNs (behind HTTPS) can be subject to similar impositions?

If a state can impose to a mobile operator to track a citizen, why do you think it cannot impose to serve certain DNS records, certain TLS certificate and so on to certain people only?

Also, HTTPS leaks a lot of information about every visitor to the site owner (IP, cookies) and you are assuming the hosting/cloud provider is not malicious, while often it is.
And these leaks apply to everybody, not just to targetted victims.

You just need to control/compromise a single hosting/cloud provider and attract the victim on one of its HTTPS websites to install the same malware without the website owner knowing anything AND without the victim suspecting anything (it’s HTTPS, so it’s safe, isn’t it?)

On the other hand, HTTP proxies can cache requests and hide you from the server.

It’s dumb to blame http website owner for the victims killed by criminals and governments: it’s the whole Web that is broken and insecure at heart, HTTPS or not.

We need people to understand how it works in depth so that they can foresee the risks.

A false sense of security is MORE dangerous than a known state of insecurity.

· · 0 · 1 · 1
Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.

Trending now

Resources

Developers

What is Mastodon?

qoto.org

More…