• Possibly linux@lemmy.zipOP
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    6 months ago

    I don’t think there is any vulnerability in https. There are know limitations but https itself is fine. If you are talking about TLS vulnerabilities then we have much more to worry about. To compromise the content on a page someone would have to brute force TLS very fast which isn’t feasible with today’s computer. Today’s computer would take at least a few million years. But I have scene estimates that say long past the heat death of the universe.

    Even if https was full of holes it still would be better than http. Http has zero tamper protections or encryption. Companies like AT&T used to tamper with traffic to various purposes and it was feasible for them to do so.

    • Xephonian
      link
      fedilink
      arrow-up
      1
      arrow-down
      9
      ·
      edit-2
      6 months ago

      TLS 1.0 was released in 1999 as an upgrade from SSL 2.0 and 3.0.

      And these days we’re on v1.3 - https://www.cloudflare.com/learning/ssl/why-use-tls-1.3/

      Notice anything? There’s always a flaw. The general public hasn’t discovered it in TLS1.3…yet

      And again, Banking websites, some stuff makes a lot of sense to use encryption.

      Just not everywhere.

      • Possibly linux@lemmy.zipOP
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        edit-2
        6 months ago

        TLS could be the most flawed system on Earth and it would still be better than no TLS. Plain traffic is just that, plain. I can do whatever I want to your web browser as I can arbitrarily change the contents of websites. I can make a page be full of ads or do more malicious things such as replacing a page with a phishing site or running something like beef which allows me to have full control of a browser and to pull all information. I could also exploit any vulnerabilities in the browser to do privilege escalation although to be fair major security CVEs are rare.

        This is literally a community about privacy. I don’t understand why you wouldn’t want https. It works out of the box and it is implemented pretty much everywhere. If a site doesn’t use it that site isn’t really worth using as it take very little time to setup with Let’s encrypt.