Not Secure

3 points by bullen ↗ HN
So now all HTTP input is "Not Secure" in Chrome. :o

3 comments

[ 2.8 ms ] story [ 19.3 ms ] thread
I suppose that's technically true (as Hermes would say, that's the best kind of true!), since anything one sends can be trivially intercepted, rewritten &c.

If we're going to default to HTTPS everywhere, though, we really should just issue certificates along with IP addresses & DNS names, rather than layering CAs on top for everything.

Indeed, the CA model seems broken by default in a nearly unfixable way, and it's primary goal seems to be to provide a web of trust which is trivial to break. HTTPS should be about encrypting point A to point B, and implementing scare warnings unless that encrypted tunnel goes back to a CA is not helping HTTPS adoption. It's not hard for malicious actors to get an HTTPS cert for their malware domains from a valid CA, so what's the point of that at this juncture?
Who is “we” that should issue certificates?

The CA system is just a patchwork solution on top of something that is fundamentally impossible: trust between any arbitrary pair of humans.