In this episode: HTTPS is still bullshit because it does not enforce single origin. That is, a website can appear as “valid HTTPS” while serving up to you malicious third-party JavaScrpit and cookies and iframes and all sorts of attendant garbage.1 Worse, because of the way the Modern Internet™ works (i.e. being monetized by third-party adtech), there is no way of changing this without either, a) breaking every major website, or b) creating a multi-tier internet based around which websites can afford to shell out hundreds of dollars a year for EV certs.
- So long as they’re being served from a site that also uses HTTPS. Which pretty much everyone does nowadays, even malware vendors, largely thanks to Google pushing the technology to sell more analytics products.↩