The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from...
Until they pass a law making it super duper no-no bad for anyone but the government to use this power.
… cause that’s how the internets works, it’s okay when the government does it, and they are able to control everything on the internet through regulations. Didn’t you know that?
It's like every 2 days there is a catastrophic law for privacy introduced in the EU. Last time with E2EE now with HTTPS. It seems that the EU would agree to stop bit tech from spying but they don't want anyone to hide from them.
Centralized CAs were and are a mistake. HTTPs should work more like ssh-keys where the first time you connect to a website it's untrusted, but once you have validated it the website you want, it never bothers you again unless the private key changes. Private key rotations can be posted on public forums, or emailed, or any number of other ways and users that don't care can ignore the warnings like they do anyway, while users who DO care, can perform their own validation through other channels.
The most important aspect is that there is no "authority" that can be corrupted, except for the service you are connecting to.
There is no way a user can know the website is real the first time it's visited, without it presenting a verifiable certificate. It would be disastrous to trust the site after the first time you connected. Users shouldn't need to care about security to get the benefits of it. It should just be seamless.
There are proposals out there to do away with the CAs (Decentralized PKI), but they require adoption by Web clients. Meanwhile, the Web clients (chrome) are often owned by the same companies that own the Certificate Authorities, so there's no real incentive for them to build and adopt technology that would kill their $100+ million CA industry.
There is no way a user can know that their traffic hasn't been man-in-the-middled by a compromised CA either. And why is it "disastrous" to trust a website after you have cryptographically verified its the same website you visited before? It would present the same public/private key pair that you already trust.
Literally everybody does SSH wrong. The point of host keys is to exchange them out-of-band so you know you have the right host on the first connection.
And guess what certificates are.
Also keep in mind that although MS and Apple both publish trusted root lists, Mozilla is also one of, if not the, biggest player. They maintain the list of what ultimately gets distributed as ca-certificates in pretty much every Linux distro. It’s also the source of the Python certifi trusted root bundle, that required by requests, and probably makes its way into every API script/bot/tool using Python (which is probably most of them).
And there’s literally nothing stopping you from curating your own bundle or asking people to install your cert. And that takes care of the issue of TOFU. The idea being that somebody that accepts your certificate trusts you to verify that any entity using a certificate you attach your name to was properly vetted by you or your agents.
You are also welcome to submit your CA to Mozilla for consideration on including it on their master list. They are very transparent about the process.
Hell, there’s also nothing stopping you from rolling a CA and using certificates for host and client verification on SSH. Thats actually preferable at-scale.
A lot of major companies also use their own internal CA and bundle their own trusted root into their app or hardware (Sony does this with PlayStation, Amazon does this a lot of AWS Apps like workspaces, etc)
In fact, what you are essentially suggesting is functionally the exact same thibg as self-signed certificates. And there’s absolutely (technically) nothing wrong with them. They are perfectly fine, and probably preferable for certain applications (like machine-to-machine communication or a closed environment) because they expire much longer than the 1yr max you can get from most public CAs. But you still aren’t supposed to TOFU them. That smacks right in the face of a zero-trust philosophy.
The whole point of certificates is to make up for the issue of TOFU by you instead agreeing that you trust whoever maintains your root store, which is ultimately going to be either your OS or App developer. If you trust them to maintain your OS or essential app, then you should also trust them to maintain a list of companies they trust to properly vet their clientele.
And that whole process is probably the number one most perfect example of properly working, applied, capitalism. The top-level CAs are literally selling honesty. Fucking that up has huge business ramifications.
Not to mention, if you don’t trust Bob’s House of Certificate's, there’s no reason you can’t entrust it from your system. And if you trust Jimbo’s Certificate Authority, you are welcome to tell your system to accept certificates they issue.
A better solution would be to have both at the same time.
Browser says: x number of CAs say that this site is authentic (click here for a list). Do you trust this site? Certificate fingerprint: ... Certificate randomart: ...
And then there would be options to trust it once, trust it temporarily, trust it and save the cert. The first 2 could also block JS if wanted.
I can see this would annoy the mainstream users, so probably this should be opt-in, asked at browser installation or something like that.
Here's how to massively increase your self confidence, character, and be virtually impervious to depression. Privacy is an essential Human need. We feel insecure with no privacy as it should.
Refuse to give any data about your digital or physical self unless when absolutely, undoubtedly, justifiably neccessary, especially to anyone that allows third parties to snoop you, that could be anyone/anything! Keep telling yourself, not only will I not let Big-Tech/Gov breach my privacy and collect data about me and monetize mefor free, I'm not for sale at any price.
I am not for sale at any price.
I'M NOT FOR SALE AT ANY PRICE. It will be hard for me to do, much of my behavior will need to be changed, but I am worth it.