On Sat, 04 May 2019 13:02:56 -0000, Charles Bronson said:
On Fri, 03 May 2019 21:14:53 -0600, "Keith Medcalf" said:
HTTPS: has nothing to do with the website being "secure". https: means that transport layer security (encryption) is in effect. https: is a PRIVACY measure, not a SECURITY measure.
I may be wrong and if so, I am happy to be corrected, but I don't think that statement is entirely true. The certificate not only encrypts the connection, it also verifies that you are connecting to the server you intend to. That second component is a security measure.
Actually, the identity component of a certificate does *not* verify you connected to the server you *intended*. It verifies that the server you actually connected to is the one that the connection was directed to, and that you didn't get MITM'ed. That's important, but not what most people think it means. In particular, it does *not* protect against typo squatters that get hits when you accidentally try to go to faceebook.com. Also, when a user enters cnn.com, they *intend* to visit cnn.com, and aren't thinking about the *other* 38 sites that get contacted (as reported by the IPvFoo extension). Did I *intend* to go to a125375509.cdn.optimizely.com - one of the sites that ends up getting called when I visit cnn.com? So while there's a useful security guarantee provided by the proof-of-identity, it's *NOT* what people usually think it is. Additionally, the first component is also a security measure as well. Googling for "3 pillars of security" shows that they're "confidentiality, integrity, and availability". In what world are the "privacy" provisions of TLS *not* part of "confidentiality"? https://www.lmgtfy.com/?q=3+pillars+of+security