← Back to context

Comment by st3fan

2 years ago

Yes but we abandoned that idea a while ago. There are no more green locks in browsers. Nobody buys those expensive certificates that proof ownership. When you curl something it doesn't show anything unless it is an actual invalid certificate.

You are correct that it _should mean_ but reality today is that it doesn't mean anything.

2 comments

st3fan

Reply
yjftsjthsd-h  2 years ago

No, it still means that you've connected to the domain that you wanted to connect to and the connection is reasonably resistant to MITM attacks. It doesn't say anything about who controls the domain, but what it provides still isn't nothing.

  • st3fan  2 years ago

    It is not about the domain.

    "It is not a good indicator of trustworthiness of the actual thing you download."

    I just downloaded something with malware from github.com. I indeed wanted to connect to github.com and I trust that it is Github.com. But again ... it did not say _anything_ about the trustworthyness of the _actual_ thing I did, which was to download an asset from that domain.

    That is my point. In the context of this discussion about downloading dependencies.