> I cannot reply to your lower-level comment at the max nest level, but I disagree with you about https.
You've somewhat misunderstood me, or perhaps not cared to listen to what I stated, and now you're disagreeing with your incorrect interpretation of what I said. I wish you had given a point-by-point argument to what I said, and tell me each sentence you disagreed with (I'll do that here).
> The contents of the https transaction is not available to the CA.
I never said that. I said, "both sides of the connection, and everyone in the middle, know who they're talking to." E.g. if you're talking to Google, then you know that you're talking to Google, and Google knows it's talking to you, and your ISP knows that you and Google are talking.
> The data is not available for snooping for intermediaries.
Yes, it is. See: NSA FLYING PIG. See: all bogus certificates ever issued by a CA. See: "Flame" malware that was signed using a bogus Microsoft certificate. See: <just do a web search>
> And tampering, while it seems like a silly check, is actually done almost casually by ISPs for a variety of reasons. They will insert executable code into a HTTP reply.
How did you interpret this statement? "...that is a social problem and not a technical one. Sure, some technical measures may mitigate that from happening, but ultimately the problem is social and users of that network should stop using it, or start tunneling their traffic some other way."
> In other words, preventing HTTPS might support the subjugation of your users by others.
No, if I don't want to support HTTPS then that is _my freedom_. Would I not be subjugated by a corporate CA, and would I not need to support that for the rest of my website's life? (Yes, I would.) And, again, it is not my responsibility to protect people from their malicious ISPs. The problem is obviously the ISP, not my website. And again, I offer trust and validity checks for all important files served by me in the form of PGP certificates.
> Sounds silly but once RMS said "proprietary software subjugates people" and it sounded like weird over-the-top political rhetoric when I heard it. But over time I notice that indeed subjugation is a huge part of our use of computers
That doesn't sound silly at all, what RMS said, but your interpretation of it certainly is. Do you believe conscientious objectors support war if they are not actively trying to dismantle the military?
I don't support the subjugation of users--I believe users ought to hold all the freedom themselves, including the freedom to protect their communications if they wish, but I don't have to actively participate in the obvious corporate racket of acquiring SSL certificates, and the eternal responsibility they require. I deserve the freedom, too, to host a site independently--and that is what mandatory HTTPS (without a distributed web of trust) will take away--not away from me, because I can always host a site no one visits, but away from users who won't anymore have the choice.
"we need completely distributed human-to-human trust without any corporate authorities."
Just to be clear: I'm not against HTTPS--I would love to have trust and validation to those I'm speaking with electronically. But, the way SSL is implemented today (with CAs) is not something I am willing to support for my personal website.
ok, but although HTTPS has some drawbacks, I think HTTP has many more drawbacks.
I think this is sort of like "lock you car doors". Yes, a dedicated thief can bypass the locks and open your car, but you don't have to leave your car doors unlocked and let anyone enter you car at will.
I think a reasonable middle ground might be to maintain HTTP and do HTTPS using letsencrypt. If one of the CAs does something to limit your freedom, you could redirect https to http and turn it off.
Anyway, it's good to see you're basing your argument on your principles, many people cave early and easily.
> In other words, preventing HTTPS might support the subjugation of your users by others.
No, if I don't want to support HTTPS then that is _my freedom_. Would I not be subjugated by a corporate CA, and would I not need to support that for the rest of my website's life? (Yes, I would.) And, again, it is not my responsibility to protect people from their malicious ISPs. The problem is obviously the ISP, not my website. And again, I offer trust and validity checks for all important files served by me in the form of PGP certificates.
That doesn't sound silly at all, what RMS said, but your interpretation of it certainly is. Do you believe conscientious objectors support war if they are not actively trying to dismantle the military?I don't support the subjugation of users--I believe users ought to hold all the freedom themselves, including the freedom to protect their communications if they wish, but I don't have to actively participate in the obvious corporate racket of acquiring SSL certificates, and the eternal responsibility they require. I deserve the freedom, too, to host a site independently--and that is what mandatory HTTPS (without a distributed web of trust) will take away--not away from me, because I can always host a site no one visits, but away from users who won't anymore have the choice.
"we need completely distributed human-to-human trust without any corporate authorities."
Just to be clear: I'm not against HTTPS--I would love to have trust and validation to those I'm speaking with electronically. But, the way SSL is implemented today (with CAs) is not something I am willing to support for my personal website.