Why would they do this

Any website can get a free Let's Encrypt or AutoSSL certificate. Just having one of those installed doesn't guarantee anything about the site not being a scam. I bet www.faecbok.ru has an SSL installed on its credit card-skimming page. The green padlock is a lie now that SSLs are available free and not verified by any trustworthy issuer.

Add to that the fact that plenty of sites don't need SSL functionality, and warning people that their blog about learning Japanese is not "secure" is totally irrelevant, and there's absolutely no point in making a big deal out of HTTPS any more.

Attached: mitsudomoe smug shop employee ep5.png (658x647, 469K)

not if the site uses cloudflare

>Add to that the fact that plenty of sites don't need SSL functionality, and warning people that their blog about learning Japanese is not "secure" is totally irrelevant
Honestly this
Google Chrome already warns me if I access the login page of the website I run on my local network saying that it's not secure
What the fuck are they even thinking?

It's a trap to trick you into acquiring malware and losing credentials and there is absolutely no excuse for it.

The point is that users will get a warning from websites that do not use HTTPS, and sites that do use it will not have any special indication or warning. It penalizes sites that do not implement HTTPS/SSL.

HTTPS was never meant to imply that a site is not a scam or that it won't steal the information you give it. It just means the server you're connecting to is what it says it is, and that your connection isn't being MITM'd or spied on by others.

they hired GNOME developers.

no I'm not joking.

they can't keep getting away with it

Why is this a good thing? Many things don't need to be secured.

Not true. Certificates verify identity. If Mcdonalds.com had an SSL cert, it meant that Mcdonalds.com was really owned by mcdonalds and not some guy squatting on the name and pretending to be mcdonalds.

Can you fucking retards stop calling it SSL? IT'S TLS

no, a cert just means that you can be sure the server responding to your request to 'mcdonalds.com' is the intended one
it doesn't gaurantee that 'mcdonalds.com' is owned by 'the' mcdonalds, just that when you connect to it, you're connecting to a server which the owner of mcdonalds.com intended you to

Any site that normies visit regularly that they enter passwords, identifying information, financial information, etc. on should definitely be secured. Also, any sites that normies download things from should be secured. Basically, blogs and free news/content sites that don't have a login/account system are the only sites I can think of that normies would use (which would be the people these warnings are primarily targeted at) that don't need to be secured.

And where is that certificate verifying that identity held? On a server controlled by McDonald's. Since HTTPS requires both a certificate and a private key, someone attempting to present their server as mcdonalds.com would have to steal the key and certificate from that server for HTTPS to work. So, in effect, a certificate verifies both that the server is the one you are trying to connect to, and that the domain is controlled by the company to which the certificate was issued.

MUH minimalism

>If you have even slightest idea about TLS/SSL certificates, you’d know that there’s a thing called ‘Identity verification’ or the ‘verification process’. Basically, it’s a process that’s used to validate the identity of the certificate’s recipient. In simpler words, it’s done to make sure that the person/organization wanting to have the certificate issued is real and trustworthy. Whether it’s the most basic SSL certificate, DV or the most advanced, EV, vetting process forms a significant part of the SSL purchase process.
source: comodosslstore.com/blog/importance-of-identity-verification-while-purchasing-ssl-certificate.html

>And where is that certificate verifying that identity held? On a server controlled by McDonald's.

I'm talking "wild west" days of the internet where anyone could buy any domain name because none of them were taken. Not specifically Mcdonalds corporation, but it's definitely possible that your businesses domain name could be squatted on, present itself as your business, and collect data it shouldn't. Ideally, the scammer wouldn't be able to get an SSL certificate for that site, because the CA would attempt to verify on your behalf that "mcdonalds.com" is owned by mcdonalds.

You are so fucking dumb its absurd.

sslstrip
>inb4 HSTS
sslstrip2.0

You don't know about the fake apple.com?
xn-80ak6aa92e.com (it's "secure")

I don't know about EV, but Let's Encrypt issues DV certificates without verifying any organization information. SSL does not verify which organizations a domain is associated with.

This requires that your network already be compromised.

Yeah, not anymore. Doesn't mean anything about verifying the identity of the domain holder anymore. But this is how it used to be, and it's why ssl certs cost anything to begin with. Real people needed to be employed to process the certificate application.

I think doing what's in is fine, because there's already a giant warning page when you go to a site with an invalid ssl cert, and you don't need to be reminded constantly of it existing. It's basically redundant, and no longer proves anything about the domain's owners.

non-repudiation

>Google penalizes you for using self signed SSL's
>Google uses self signed SSL's
What did they mean by this?

You don't understand the point of SSL.
Fuck off.

they're an "authority" and you're not

Attached: a4cf622f4cde20cfe3d4523def9cd77a.jpg (400x300, 23K)

The whole movement to https-only where it isn't really even needed pisses me off
I can't sniff my own packets for GET requests on porn sites any more

>trying to derail the thread away from the topic with an irrelevant complaint

>where am I?
>[no answer]
so funnehhh

>gibs us your sould so we can secure your account mlao
>!security warnnig! you logged in, don t log out next time X---DDD
>t. golge :DD

use the network tab in your web browser.

Use sniffer with ssl strip.

Weren't they going to remove the url completely at one point? they just wanted site.com instead of members.site.com/features/articles/sport/123.asp?q=123

iTs ToO cOnFuSiNg for normies. Also why they removed backspace to go back a page. Bunch of fucking faggots.

safari does that

one of the few XBOXHUEG reasons why avoid that thing like the pest

Holy shit you're right, and this article is from 2014.
What the fuck is going on

Attached: osx-yosemite-safari8-simple-address.png (1180x748, 191K)

I think Opera does this by default until you click the bar.

>or the most advanced, EV, vetting process forms a significant part of the SSL purchase process.
>Vetting process
Literally all they do is check your company name and phone number on Dun and Bradstreet, then ring you and get one other person at the company identify you. One of our sales guys was passing while I was in the comms cupboard talking to them so I had him do it. Frankly, I could have had them ring me back on my mobile number and put on an accent.

Try living in China for a year.

Seeing an HTTPS connection is pretty rare when you are behind the GFW.

>The green padlock is a lie now that SSLs are available free and not verified by any trustworthy issuer.
you just don't understand the point of SSL
SSL isn't about tying the identity of a company to a domain, but rather a server to a domain
all it ensures is that when you connect to 'faecbok.ru', you can be sure you're connecting to 'faecbok.ru', with no mitm (be it a company/hotspot proxy, dns poisoning, isp redirection, etc), it has nothing to do with differentiating 'faecbok' and 'facebook', that's up to the user to look at the domain they're connecting to. there's no fix for stupid users

you can always mitm yourself, just use an https proxy, with a self-signed certificate in your browser