First, an anecdote: to track sleep problems I have, I bought a cheapest
smartband, a Huawei one. It has almost no controls on its own, and it's UI
needs a dumbphone (Google or Apple infested) via Bluetooth. Because
$REASONS¹ I happen to carry two phones, one of them such a dumbphone,
with no IP network connection 99.999% of the time. Setting up the
smartband requires a "Huawei account" (but works correctly without network
later on). Such an account needs a password. Alas, Huawei has weird
requirements (like, banning spaces and non-alnum chars) so none of my
usual password schemes work. Pissed off, calling them Nazis would be
inappropriate so I instead chosen the password to be "1989tiananmen".
Account creation timed off. I tried multiple times, over a few days,
both from the phone and from website, on different browsers/OSes/machines/
networks (I did not suspect a low-level interruption). Finally, choosing
a different password worked.

So, hmm, how come a https connection gets intercepted by the Great Firewall?
No hacking by the govt is involved here...

On Thu, Dec 03, 2020 at 01:38:47PM -0800, Rick Moen wrote:
> Quoting Arnt Karlsen (arnt@???):
>
> > ..meanwhile, I too lean towards Ian's contrarianism:
> > http://michael.orlitzky.com/articles/lets_not_encrypt.xhtml
>
> I couldn't possibly agree more. Let's Encrypt is a Potemkin Village
> approach to the SSL cert problem; it's pretend security that pretends as
> if a broken and unreliable CA infrastructure weren't that.

The CA cartel model is indeed broken, with its "any of thousands CAs can
sign anything" scheme. But then, Let's Encrypt at least killed their
protection racket.

Sure, the mode can be subverted by any of the CAs. But it's governments
that can order CAs to do anything, not ordinary crooks.

Imagine that you tried and failed to find any door that would taken a
skilled lockpicker more than three seconds to open. Would you leave the
entrance to your flat wide open without a door at all? That's what you're
suggesting. That the door has known security issues doesn't mean it can't
still stop causal attackers. CA-model SSL still protects us from script
kiddies.

So like a common door, it's still a good thing to have.


Meow!

[1]. Gemini PDA is an awesome micro-laptop, but it's unable to connect to
phone networks unless you reformat to a dumbphone OS.
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋⠀ Certified airhead; got the CT scan to prove that!
⠈⠳⣄⠀⠀⠀⠀