HTTPS Is A Privacy Nightmare

Every day, I see someone from the InfoSec community reminds the importance of “using HTTPS”. The community has a definite agreement on how HTTPS secured our communications. EFF suggest it. Snowden suggests it. Anyone who cares about her privacy should be using HTTPS.

I don’t know why nobody says it out loud but TLS is flawed by design. It relies on third parties called Certificate Authorithies. A CA is basically a company or an organization. They may get compromised. Remember DigiNotar breach? They did get compromised. Remember TURKTRUST fiasco? They made serious mistakes. In 2017, Google decided not to trust WoSign and StartCom due to their poor security. What if their systems are compromised before that?

These are just the ones that made it to the public. Maybe there were other incidents. Maybe some big CA’s root certificate’s been stolen and nobody knows about it. And what I think is black hats should be the least of our concern. There are governments, nation-states, state-backed hackers we should worry about.

For example, last year Kazakhistan started enforcing its citizens to use a state-issued certificate. The other governments aren’t so transparent about it. After reading NSA files, I wouldn’t be surprised if NSA already hacked some of the big CAs. I don’t see what stops governments from issuing a subpoena for the CAs in their countries to sign a certificate so they could sniff the communication of whoever they want. Or, I don’t know, they could just do what Kazakhistan is doing. As far as I know, people tend to be persuaded if they believe it’s to fight against terrorism or child porn.

Governments are hungry. Hungry for power. Hungry for data. We live in surveillance states. CCTVs are installed everywhere. In London, the city with 9 million inhabitants, there is 1 CCTV camera for every 14 people. It doesn’t matter how liberal they are, governments like to watch. They never miss a chance to be in more control. In these pandemic days, Israel started tracking its citizens to manage the covid19 spread. We’ll see whether Israel is going to yield this power after the disease is contaminated or not. Just today, Hungarian parliament granted unlimited power to Prime Minister Orban to fight against the pandemic.

So, this is a call for all the cypherpunks out there! We need to replace the TLS protocol with something decentralized. This should be our next big step in the war against surveillance. If we leave it as it is, we won’t be able to protect our privacy in the future.