>Hurr durr, but user TLS is not designed to verify the legitimacy of the we- Gtfo. 95% of internet users rely on the padlock or "SECURE" and aren't checking the domain, like you autists
How hasn't its root been pulled from the stores yet?
>Gtfo. 95% of internet users rely on the padlock or "SECURE" and aren't checking the domain, like you autists That's their problem.
Jace Ward
cars kill. so do guns. is this the problem of the tool/technology? no. fuck off!
Joshua Martin
2nd amendment fag detected
Asher Jones
It is mainly used to secure many legitimate sites. Why should the ability to guarantee your site is your site to your users be restricted?
Adrian Adams
make an argument yourself then...
William Morris
give me a way to use a self signed cert then instead of relying on third party authorities
lets encrypt is a broken solution to a broken certification system
Caleb Peterson
people thinking https means the site is safe is not my problem
Evan Thomas
Serves the fucks right for not separating out cryptographic verification and general encryption to stop MITM snooping when designing this shitshow in the first place.
Lucas Ramirez
TLS was mistake! Never trust certificate jew.
Benjamin Sullivan
TLS doesn't secure against web hosting takedown or traffic filtering. Self-signed certificates are literally the same value when it comes down to proving domain legitimacy but browsers treat them with freaking error page.
Andrew Rogers
This
Eli Collins
THIS
Jacob Clark
Who decides what is legitimate? Also, it (certificates) was expensive, and have no restrictions, you just need to pay.
Xavier Lee
This Literally this
Camden Stewart
/thread
Josiah Scott
MITMers can self-sign too, so blindly trusting all self-signed certs is worse than even Let's Encrypt.
The normie web is just plain fucked as far as security is concerned
Dylan Hernandez
the padlock isn't the problem because the address still appears in the URL highlighted in black (with the rest in grey) real sites can use extended validation certificates to display the business name as well, which paypal does
none of the certs listed have been valid past late June 2016
Cars are actually strictly regulated. And guns are a constitutional right, TLS is not - don't compare both.
Jordan Walker
>Cars can be used by criminals as getaway vehicles, clearly cars were a bad idea. >Criminals can use guns for violent crime, clearly guns were a bad idea >Phones can be used by criminals to communicate, clearly phones were a bad idea You get my point. Just because something can be used by bad people doesn't mean the thing is automatically bad. If you use common sense and see that you're on zbay rather than ebay, don't login.
Daniel Hernandez
No one gives cars or guns or phones away to criminals for free though.
Also, all of those are regulated in any decent country.
Juan Hall
blindly trusting self signed certs is dumb because anyone can self sign them. any of these scammers could have bought a regular domain only validated SSL cert from another provider and the effect would be the same.
Cooper White
>just use common sense, user >it's your fault if something happens to you Nice victim blaming, faggot.
Caleb James
>make insecurity the norm because retards are retarded A+ logic right here
Zachary Bennett
A criminal can get a car easily, lots of used car dealerships out there have zero background checks and accept cash payments and guns are easy to get off the black market or you can make a improvised gun if you know what you're doing.
Asher Wright
fpbp
Wyatt Gomez
>encryption didn't exist before let's encrypt You're clinically retarded.
Thomas Smith
Telling everyone that https means you're safe is becoming a mistake to blindly trust https, you need to now read the full url before trusting a website
Cooper Morris
It's still better for the data to be transferred over a secure channel than in fucking plain text.
Camden Flores
So not for free? I see.
Michael Ross
Encryption only guarantees that the connection between you and the server cannot be eavesdropped. Authentication should be done by a different thing.
Let's Encrypt is a good idea. Using https as a way to say if a website is legit is not a good idea at all.
Owen Harris
Install Web of Trust or the Netcraft Toolbar.
Grayson Scott
So you're only problem it's free? You actually think all these sites will magically disappear because oh fuck, they have to pay for it.
Nathaniel Taylor
I don't see the problem here. So some people used the word "paypal" as subdomain and who cares? The certificate is ok, the subdomain can be whatever they want. fpbp
Gabriel Edwards
Wrong. Authentication was part of https' goal right off the bat. The whole point of having a certificate authority is certifying that the certificate owner is who he claims he is. Let's Encrypt is just a bad authority.
Matthew Hall
You moved the goalposts, faggot. Better luck next time.
Jace Rivera
I didn't move any goalposts you queer, you just declared it a moved goalposts because you knew you have no argument. You're using the same arguments liberals use to kill the 2nd amendment and they're working so far, I don't want you ruining another good thing because you need a big government cock deep inside your asshole.
William Adams
This, there's no point in certificates if all you want is scrambling. RSA + DH key exchange could take care of that without the need for certificates at all.
Brandon Johnson
>cut yourself with a razor because youre too stupid to read up on how to use it first > WAAAH ban razors!
extended validation is a thing, as is checking the url domain.
>WAAAH I opened my secure front door because someone rang the bell and he stabbed me >it's the door's fault!
Dylan Torres
no one fucking cares.
then remove letsencrypt from your cert stores you fucking useless crybaby faggot.
oh wait you can't because you're too tech illiterate.
Gavin Roberts
Now you're strawmanning in a desperate attempt to associate me with a disliked group of people.
Keep grasping at straws, everyone's having a good laugh thanks to you.
10/10 Here is your internet training certificate sir, enjoy your stay.
Daniel Taylor
You're using the same arguments that the left uses to give up rights for the illusion of freedom. Something is used by bad people, so instead we should demonize and get rid of it, because you can't handle freedom.
Nicholas Reed
If you think im gonna pay some stupid company to give me a measly cert and then also pay up for everything like renewals and revocations, you can forget that. And a lot of other server owners will say the same. So yeah, killing off LE amounts to removing a lot of security because we sure as fuck arent gonna replace it with the inferior alternatives.
Bentley King
>>make an argument >posts a fucking article with zero context
you're like those holocaust denial fags that link you to 30 minute youtube videos.
Luke Lewis
HTTPS authenticates that paypal.com is paypal.com and that paypaal.com is paypaal.com. None of the certificates linked to in OP were for paypal.com, www.paypal.com, or any other legitimate paypal subdomain.
If they went to another provider, like Comodo or Godaddy, and typed in to buy a certificate like reallylegitimatenotfakepaypal.com, it would validate domain control (Whois contact info -> email the admin, or maintain a particular DNS TXT record) and issue the certificate after payment.
To resolve this and provide more trust to users, Extended Validation certificates were created that take far more effort to validate, and actually validate the company (business) buying the certificate. This is why when you visit paypal.com, it says "PayPal Inc." next to the padlock.
Dylan Mitchell
too bad http and browsers only provide that in the form of... yep, certs
Ryder Long
No I'm not, but you're on the verge of tears already so I'll just let you believe whatever you want. I'm not worried because anyone can read the thread and see my original point, which was: no one gives cars or guns away for free, so certificates also shouldn't be given away for free.
Asher Cook
WTF is wrong with this faggot trying so hard to politicize this thread? Fuck off!
Also, sorry to break it to you, but the left is right. Reactionary scum, off to the gulag!
Thomas Stewart
>no one gives cars or guns away for free, so certificates also shouldn't be given away for free. That's the most retarded argument I've ever heard, I'm almost convinced you're trolling now. You're telling me a company shouldn't be allowed to do what they want and it should be regulated like everything else? Do you suck cock this much
Lucas Barnes
>inferior alternatives Except we've just established that Let's Encrypt is the inferiorest alternative, you fag.
Jayden King
The incremental cost of issuing a certificate is next to nothing, while increasing the amount of encrypted traffic on the web to protect user traffic from ISPs, governments, and other parties snooping on it is of great value to society as a whole and internet privacy.
Chase King
They totally can do what they want, but they need to suffer the consequences and have their roots certificates removed from every trusted database out there.
You're the one saying we shouldn't be free to refuse to trust someone who can't be trusted. So you're the anti-freedom cocksucker here.
Hudson Fisher
MODS Sup Forums IS LEAKING AGAIN
Jason Ward
Alright, you had me there for a while, but Sup Forums is full of unironic communists and state worshipers so you did a great job there.
Aiden Hernandez
Sup Forums supports lets encrypt so they can get a cert without having to worry about getting their certs revoked by comodo or whatever because they were found to be too antismentic
Chase Brown
>if you don't worship corporations, you worship the state You may leave now.
Jeremiah Perry
It's not even a coproration, it's an organization
Noah Ramirez
>no one gives cars or guns away for fre not the one you are arguing with but I have to add something to your discussion: Everyone can make a certificate for their own server without even having a domain. Building a car may be possible but it is way harder. In both situations there is a problem: You can't really build a car alone and be allowed to drive it freely and browsers may show a warning-sign because your certificate is not validated by something they know. In the end it doesn't really matter for the certificates because stupid idiots will click everything they want and make an exception for the certificate in their browsers anyways. Also another thing: If you buy a car from someone that doesn't really check who you are and what you want to do is the same as paying for a certificate with some stupid domain because that doesn't really get checked either. I know this because I own some payed ones. I could still do shit with it and they would never find out because my bankaccount is somewhere-else. They only way to make sure that certificates only get used for good things is to check every buyers identity from time to time and to monitor it.
Nathaniel Parker
People who get phished deserve it.
Alexander King
Phisher detected.
Luis Stewart
All your arguments to remove LE rely on a single foundation: that free https certs make it possible for fake sites to look legit
Maybe you shouldn't all have made the mistake of telling everyone the lie that https == legit website and blindly parroted it forever despite all the warnings about the fallacy in that logic. This logic does not hold up anywhere else either.
You idiots put yourself in the problem you're trying to fix at everyone else's expense, you can get yourself out. Should have rtfm instead of spreading dumb assumptions. Go fuck yourself.
Elijah Myers
To be fair, https had to be dumbed down that it's automatically safe so normalfags could listen and understand it in the very first place
Easton Ortiz
If the problem is that "people look at the padlock to check if the domain is legitimate", browsers should just look up if the domain is listed in a "legitimate websites" list to put a padlock or not, and leave the https only in the url
Jordan Fisher
The padlock only means "your connections is encrypted" not "nothing bad can happen to you here"
Cameron Cox
There is a difference between a simple TLS/SSL certificate and an extended validation certificate acknowledging a business entity you bunch of gigantic retards.
Sebastian King
>security should only be for those who have the money to spare security should be standard for all
>learning to check the domain in the url is so much more of a problem than destroying the security of millions of sites, reversing immense progress, and costing all sites a ton of money and saddling them up with the shitty cert companies again lazy, selfish fuck
>thinking commercial certs offer the security you think, as if they constantly evaluate all their clients false sense of security and the resulting lazy ignorance based on phallacious logic is worse than legit security that gets abused by a tiny minority of phonies who are easy as fuck to sniff out anyway
did you have to kill a thread for this retarded bullshit?
Levi Long
See
Leo Howard
phishing sites had TLS certs before LE anyway. They just had to cough up $20 for them with a stolen credit card. It was an inconvenience to them, at best.
As always the real problem is normies being too trusting, taking shortcuts, and actively refusing to think and be cautious. This is why they get bent over and fucked in all sorts of ways by all sorts of people, online and off.
William Anderson
>having to dumb down a 2-step process nigga please. just no. we cant keep pandering to the absolute lowest denominator forever
Dylan Lee
Sup Forums is making stupid arguments on how certificates are equivalent to guns or cars, and even arguing that OP wants much government regulation because he thinks applications (private) should ditch LE. It doesn't matter if Sup Forums supports the right alternative, they're always stupid.
This thread should end in the first post. It's not LE's fault that the users are so fucking illiterate that believe the padlock means the site is secure. Also based on my experience, the average user doesn't even know what the padlock means and just type their secrets everywhere it requests it.
Left supports an armed proletarian, fucking limp wristed liberal.
Justin Edwards
Op thinks there is some kind of ethics check when a issuer gives a cert.
They only check one thing: is the money in our pocket?
Gabriel Hill
Actually there is no real difference except one certificate shows more information. That information may be valid if the company that validates it itself is trusted and valid. A selfsigned certificate may hold more information.
Cameron Williams
No you dense motherfuckers. Https will validate to the server you're trying to connect to. If you're going to Facebook and the https certificate can not be verified, then that means you're not connecting to the server you're trying to connect to and someone is conducting a MITM attack against you.
Whether or not Facebook is a legit website is another kind of verification.
You're mixing up two different meanings of "verification", this is the Twitter "verified account" problem all over again.
Joshua White
Isn't capitalism just great?
Easton Wood
>Authentication was part of https' it never was in the way you mean it.
actually you are connecting a few times before the warning appears on your screen and your browser will offer the option to still accept the certificate and connect to it and showing the site. A selfsigned certificate on some domain doesn't mean there is someone doing a MITM attack.. but for known domains like facebook this could be the case OR fuckerberg just forgot to renew it.
Michael Ward
this just because most of people are retards doesn't mean some of us shouldn't have a easy way to get our websites and other shit running over HTTPS
Nolan Flores
>good software being used for bad purposes >OMFG anons are all dumb look at this this is soon bad we must ban this software right now look at what's it's done so wrong omfg.
This is the reason why we can't have nice things people like you who live in their mothers basements like angry gremlins and look for something to get mad about. Why don't you do your parents a favor and go become a functional member of society.
Kayden Lee
>That information may be valid if the company that validates it itself is trusted and valid. And that's the whole point of the CA in any PKI. Any rogue CA should lose the trust that it is granted.
Jackson Ross
But what about good people that become bad after they got their certificate. Does the CA have to monitor their clients 24/7? What if they do not revoke the certificate fast enough? If the CA loses trust, then all of the customer certificates (that means: all customers of the CA) are fucked too just because ONE customer decided to be an asshole.
Luis Brooks
letsencrypt validity is solid.
wether the domain name is mallicious or not is out of the scope of the project and would require a lot more manpower and funding.
if you're concerned. don't trust letsencrypt certs. but in practice it's perfectly safe.
Gabriel Nelson
What's the point of having certificate revocation if you don't use it? Why do we pay CAs money if they don't do anything?
Jayden Butler
Daily reminder there's a reason why CAcert never got included in any trustbase.
Hunter Peterson
Actually you payed just for your certificate and also these certificates show more than just a green padlock and stuff like "validated by LE". These certificates you payed for show then name of your company and stuff, if you want. Actually that is all you pay for.
Dylan Diaz
>payed
Leo Baker
So Let's Encrypt offers certificates so that phishing sites also can set up a HTTPS connection? And the "problem" is that people who visit the phishing site think it's legit because the connection is secured? Am I understanding this correctly?
Ayden Baker
Anti 2nd amendment fag detected
Easton Jackson
/thread
John Ramirez
I'm not anti-2nd amendment. I just can interpret it correctly like it has always been interpreted before Republican judicial activism. See
Christian Miller
>And the "problem" is that people who visit the phishing site think it's legit because the connection is secured The "problem" is that most of the world is not autistic faggots and if you put green text with the words "SECURE" in front of a URL people will think it is secure
CAs should have a role in not only doing domain validation but enforcing content
So content that is illegal (hosting CP), scamming or hosting fringe political views like white supremacy or antisemitism SHOULD have their certs revoked. Those sites are not 'trusted'.
Mason Young
>What if they do not revoke the certificate fast enough pathetic fallacy
all CAs as it is now revoke certs upon being reported for use in illicit activities
lets encrypt is run by autistic weeb fags who think the internet is for the 1% of ppl that understand public key cryptography
otherwise, the browsers should not be drawing attention to such sites as 'secure'. Or, some other form of verification beyond DV.
Samuel Gutierrez
>all CAs as it is now revoke certs correction all CAs except lets encrypt **
Christian Baker
sorry I fucked it up. paid*
Aiden Cruz
>The "problem" is that most of the world is not autistic faggots and if you put green text with the words "SECURE" in front of a URL people will think it is secure