HTTPS is still bullshit, part one million.

/HTTPS is still bullshit, part one million.

In this episode: HTTPS is still bullshit because it does not enforce single origin. That is, a website can appear as “valid HTTPS” while serving up to you malicious third-party JavaScrpit and cookies and iframes and all sorts of attendant garbage.1 Worse, because of the way the Modern Internet™ works (i.e. being monetized by third-party adtech), there is no way of changing this without either, a) breaking every major website, or b) creating a multi-tier internet based around which websites can afford to shell out hundreds of dollars a year for EV certs.

  1. So long as they’re being served from a site that also uses HTTPS. Which pretty much everyone does nowadays, even malware vendors, largely thanks to Google pushing the technology to sell more analytics products. ^
2018-06-15T07:06:03+00:005th December, 2018|Tags: infosec, ssl, tech|

Leave A Comment