----------------------------------------------------------------------------------
@MSGID: sOsa.391958@fx04.ams4>
cb6bc216
@REPLY:
<2c1a44c1-b8ce-490e-9b39-99b0e0283455n@googlegroups.com> 082b37c8
@REPLYADDR Johann `Myrkraverk` Oskarsson
<johann@myrkraverk.invalid>
@REPLYTO 2:5075/128 Johann `Myrkraverk` Oskarsson
@CHRS: CP866 2
@RFC: 1 0
@RFC-References: 1@dont-email.me>
1@dont-email.me> 1@dont-email.me> 2@dont-email.me>
1@dont-email.me> 1@dont-email.me> 1@dont-email.me>
4@news.misty.com> <km8obaF8emlU19@mid.individual.net> 1@dont-email.me>
2@news.misty.com> 1@dont-email.me>
<2c1a44c1-b8ce-490e-9b39-99b0e0283455n@googlegroups.com>
@RFC-Message-ID:
sOsa.391958@fx04.ams4>
@TZUTC: 0800
@PID: Mozilla/5.0 (Windows NT 10.0; Win64; x64;
rv:102.0) Gecko/20100101 Thunderbird/102.15.1
@TID: FIDOGATE-5.12-ge4e8b94
On 9/12/2023 3:08 AM, gah4 wrote:
> On Monday, September 11, 2023 at 10:58:31 AM UTC-7, Simon Clubley wrote:
>
> (snip)
>
>> And when that happens (and it does sometimes happen), that issuer has just
>> committed suicide if it can be shown to be incompetence on the part of the
>> issuer. CAs have been dropped in the past from the major web browsers
>> because of this, but I can`t remember the details.
>
>> (Other possibilities include a nation-state attack with a vector the issuer
>> could not reasonably have been aware of).
>
> This often enough happens when there isn`t much trust needed.
>
> If I want to download some documentation, so that no personal
> information is needed, why the security?
[I`m late in the game, but not so late a reply isn`t worth it.]
The real reason for SSL everywhere is, putting my tinfoil hat on, to
make sure ISPs can`t mess with Google`s business model: sell ads.
People who`ve never experienced it, can`t really imagine it, but HTML
injection used to be a thing, and ISPs would inject ads on pages their
customers browsed, possibly replacing the Google ads.
My own experience -- when I noticed it -- was rather benign: the cafe`s
wifi bill hadn`t been paid, and since I was browsing a http only website
at the time, I got the notification, and showed the staff.
Xah Lee has a screenshot on his website, of the problem in action.
http://xahlee.info/w/china_ISP_ad_injection.html
And a link to Ars Technica article from 2013 on the subject. Which is
coincidentally the same time frame letsencrypt started. I remember
reading about letsencrypt in 2013 or so, but it wasn`t ready yet, so I
couldn`t use it for my own website at the time.
My personal take on it is this: it`s much more believable that it`s all
about Google`s business model than end user security, but we`re being
told it`s about security, as a psyop.
[snip]
--
Johann | email: invalid -> com | www.myrkraverk.com/blog/
I`m not from the Internet, I just work there. | twitter: @myrkraverk
--- Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.15.1
* Origin: Easynews - www.easynews.com (2:5075/128)
SEEN-BY: 5001/100 5005/49 5015/255 5019/40 5020/715
848 1042 4441 12000
SEEN-BY: 5030/49 1081 5075/128
@PATH: 5075/128 5020/1042 4441