HTTPS is becoming increasingly important for every website out there on the internet and even on intranet sites. As HTTPS prevents eavesdropping and MiTM attacks. All major browsers discourage visiting HTTP-only websites and there are multiple initiatives to issue TLS/SSL certificates needed for HTTPS to as many websites as possible… except to websites based in US-sanctioned countries.

The prime example of excluded from the secure internet due to US sanctions is the DPRK. While the China-based DPRK website Uriminzokkiri has a valid TLS/SSL certificate, all DPRK-based websites such as Naenara, KCNA, Voice of Korea and Rodong Sinmun do not have access to any kind of TLS/SSL certificate.

What do we do? Try to take action via our US-based comrades? Try to start our own CA?

  • TrankieHammer@lemmygrad.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Not really. Anyone can self-sign a certificate, even someone conducting a Man-in-the-Middle.

    By allowing self-signed certs, the average user could be lulled into a false sense of security. These users could easily believe that they have connected directly, securely, and safely to a website, when they have actually connected to an impostor site or a MitM proxy.

    • Prologue7642@lemmygrad.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Sure, but the communication is still encrypted. Apart from the sense of security, it is at least as safe as just http. So I find it funny that when you access http site you don’t get a warning about the site being unsafe, but with a self-signed certificate you do.

      • TrankieHammer@lemmygrad.ml
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Sure, but the communication is still encrypted.

        Good point, but what’s the point in encrypting data if it just goes straight onto the hands of an adversary?

        Sure, other adversaries can’t also steal a copy of the same data, but I’m not sure if that’s really a concern if you’ve just handed your bank account login to gangsters. They can’t steal your savings if someone else already stole them first, if you catch my drift. And if it’s some other random login-password combos, you’ll just end up with your password in two darkweb dumps rather than one.

        I’m not saying that you’re wrong, but it’s a relatively minor distinction. Both self-encrypted https and plain http deserve big warnings for end-users.

        I suppose it’s all pointless anyway, now that I think about it. The NSA’s BULLRUN can purportedly break TLS-based encryption. I’d wager that they backdoored themselves at the cert-isssuers, Clipper-chip style.

        So I find it funny that when you access http site you don’t get a warning about the site being unsafe…

        What browser are you using? I use Firefox, Mullvad Browser, and occasionally Chromium (all on Linux), and they all complain about plain http sites (as far as I recall).

        • Prologue7642@lemmygrad.ml
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          I use Firefox and if I visit http site I don’t get any warning, only the red symbol next to the address bar. If I visit https site with non-valid certificate, I get the site where I have to click I understand the risk or something like that to continue.