Comment by __MatrixMan__
1 day ago
Https everywhere is a good start, it keeps the other plebs at the coffee shop out of your business. But it's still open to anyone with enough power to coerce a CA, which is the more concerning sort of adversary anyhow. So yes, https everywhere, but let's not stop there.
Yes, but we have widely deployed efforts like certificate transparency, and cert pinning.
The first makes such attacks widely known events, browsers report by default, and it s provable. It’s very rare.
The second allows apps to only trust specific certs or CAs, ignoring system root of trust.
I just want to clarify HTTPS in practice is quite secure.
I'll not let go of my distaste for roots of trust in any form, but you likely have a point. I'll have to learn more about this transparency thing.