Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes. Of course we still need the certificate system and the big fat warning boxes.

But you didn't address the problem here. You are essentially arguing we should keep the steel-bolted doors, and I agree, but that doesn't exclude us from doing something about all the traffic that doesn't even have padlocks.




HN doesn't promise me encrypted access to content, so I do not care whether it's encrypted or not. HN is not an online bank.

My bank however obviously must promise me encrypted access, or else nobody would use it.

The browser has no way of knowing whether a site should be encrypted; only that is says it is encrypted.


>My bank however obviously must promise me encrypted access, or else nobody would use it.

Hahaha, you're joking, right?


The core issue is that encryption is useless without authentication. A MITM could just replace the original self-signed certificate with his own and read the decrypted plaintext while proxying the request so the user doesn't notice.


Yes; more importantly, a MITM can replace a validly signed certificate with a self-signed certificate. If browsers are lax about self-signed certificates, all TLS connections are weakened, not just the ones that "opt out" of "good" certificates.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: