this post was submitted on 16 Aug 2023
86 points (90.6% liked)

Technology

59607 readers
3610 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

cross-posted from: https://lemmy.world/post/3301227

Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for "high-risk files" (example given is an exe). They're also planning on enabling it by default for Incognito Mode and "sites that Chrome knows you typically access over HTTPS".

you are viewing a single comment's thread
view the rest of the comments
[–] SimplePhysics@sh.itjust.works 5 points 1 year ago* (last edited 1 year ago) (1 children)

The latest version of TLS (used in the latest version of HTTPS), 1.3, is very secure. Most websites these days support 1.3/128 bits, making it quite hard to crack. One major weakness of HTTPS is that, if a certificate authority is compromised, the hackers can issue certificates for ANY website, which browsers will accept as secure until the certificates are revoked/expired/CA removed from trusted list in browser. This loophole can also be exploited by nation states (forcing the CA to issue certificates).

If you are doing something really private, use something like Matrix (E2EE mode), Signal, or Telegram (E2EE DM).

TLDR: Modern HTTPS is incredibly secure, except there is a loophole that nation states and hackers can exploit if they compromise/gain control of an approved certificate authority. If you are doing something you really dont want anyone to find out (top secret files), use an encrypted service that does not rely on the TLS/SSL/HTTPS stack.

Oh, there was an effort to solve above loophole, I’m not sure if it got anywhere though.

Edit: the point of my comment is to state that HTTPS encryption isn’t necessarily weak, just the handshaking process has some problems.

[–] tabular@lemmy.world 1 points 1 year ago (1 children)

Is there a secure option that uses all the features minus the 3rd party certificate parts?

[–] SimplePhysics@sh.itjust.works 3 points 1 year ago* (last edited 1 year ago)

No, they were working on a solution a while ago, where a website would list what CA it used so you couldn’t get a random CA to issue a cert, but that effort was abandoned iirc.