Comment by dannyw
1 day ago
Yes, but we have widely deployed efforts like certificate transparency, and cert pinning.
The first makes such attacks widely known events, browsers report by default, and it s provable. It’s very rare.
The second allows apps to only trust specific certs or CAs, ignoring system root of trust.
I just want to clarify HTTPS in practice is quite secure.
I'll not let go of my distaste for roots of trust in any form, but you likely have a point. I'll have to learn more about this transparency thing.