 There's plenty of crazy people ranting around on the internet as we all know and I certainly don't have time to address All of them and normally I don't I kind of just hey Well, they believe something I completely don't believe or they're just kind of nutty But Brian Lundew he's been around for a little while and I as a long-time Linux person You will run into Brian and some of his fun rants on you know different things. He's done and Because he actually has some credibility in the market I guess so we will discuss his Crazy 23 minute and 39 second rant on HTTPS is dangerous So by the way, it maybe he'll update this but as of right now He doesn't really have anything to tell us more about why he thinks it's dangerous other than his words with no backing So we're gonna run through a couple of things he talks about real quick here HB encrypts a connection verifies on the test see the site Then is my first problem now does it encrypt? Yes Does it verify the authenticest site? He doesn't take the time to discuss the type of certification it is for example if you use let's encrypt There is no verification of the site lets encrypts an automated encryption system And it will not do any validation if you are selling online you need things like an EV Certification extended validation and as someone who has a web development company and who is and set these up and set up e-stores And all kinds of fun stuff. Yes, you need to have extended validation Certificates, and they actually verify who you are matter of fact years ago when this started They used to have to mail you things and verify your address They go through a little bit less But you do have to pay for it and they do some level of verification at your real company depending on the type of certificates you get for extended versus the real basic certifications and Google is now favoring some of the HTTPS because we want to see levels of encryption and the encryption is fine Which we're going to get to in a second, but there are different types of security I use on some of my websites just the basic as we're not when we're not selling anything on there Or we don't have any links to where payment or private data. We just want encryption. We'll use a let's encrypt certificate So I Verifies up to the site only in certain And then he claimed that's a myth that it doesn't do anything to verify it there actually is some verification error I don't know why he has a problem with certificates expiring now the reason they expire is Because what if I you know shut down a website or at least no longer maintain it the verification needs to go through now If it's an automated system on let's encrypt it will automatically never expire and it's funny because I think in there He actually says well Apple's getting sued for this four stops a lesson So I'm like no was if you're using an EV cert They want to keep verifying the companies in business that way There's some type of mechanism by which to expire on and that's actually the nice thing about when you're using non-verified things like let's encrypt It's automated. I don't have to think about my let's encrypt certificate expiring it automatically keeps renewing on all the websites We have it on so four stops lessons. Okay weird, but let's jump to the other things he has to say here This is where he grabs his tinfoil hat and firmly places it on his head So sha one secure hash algorithm developed by the NSA Sorry, mr. Lunduk not everything by the NSA is awful bad and is out to destroy things He also makes the viewers think if you don't know what sha one is It's a not a magic black box that you put data in and encrypted data comes out That's not how this works. These are published math algorithms So they're essentially open source and open standard so we can understand them and very smart people who are better at math than me Have gone through these algorithms and we've seen you know verification. It's not some mystical We don't know we just plug these magic formulas and developed by the NSA and blindly trust them No people like Bruce Schneier Pete people who Matthew Green people who are really good at math and Engineering people have gone through this and go all right. This is good now What we do know is the Key size use for sha one they have been able to because as computing gets faster and you can remember how this works They create a security algorithm that you have to guess the password the idea is it's hard to guess well hard to guess as in Based on the speed of the computer as computers become faster we have seen and we're now retiring sha one which has been around for a very long time and Because you can now crack it with in reasonable time because we have massive Data centers you could use the power of these data centers to basically Brute force your way through it and there's been people who have been able to create some of these where they were Virtuous a name collision and made able to Crack sha one. It's not arbitrary. It's not easy But if you have money to throw at compute time at a data center you can do it But that's also why we've deprecated this. This is where he moves into the next part Was a shot to Develop by the NSA so shot to is the replacement because it uses a much larger key And therefore we've now kicked it down the road till we have super super fast computers Maybe thousands of years from now that are able to crack this so Shot to know there's not any easy way to crack this but once again He says develop by the NSA Well, the NSA does as much as I will agree with you that they're not the greatest people They are agency is buying and we should fight against that and I hate all the privacy concerns with them But they also do have to protect their stuff and so if they contribute to the mathematics community and it gets vetted It's not like they're once again. They're not submitting a black box going use our magical encryption box No, they are submitting an algorithm an algorithm that is able to be researched in red So yeah, I don't really understand this but we're gonna get to a couple other things I will of course leave links to all my sources for this information. I'm he has a lack of sources other than his voice and ran He's been around a lens community So I'm you're not saying you have to verify everything you get some clout for being around for a little while But yeah, he's really going off there now This is where he jumps in recommended random number here blah blah blah and talks about the NIST adopting NSA standards and rants about that And before we jump into the more complexity moment believes that's the part. I really want to address so First let's go through in site sources for this if you're not familiar with this and we're gonna actually start right here Intent to deprecate or remove trust in existing semantic issues certificates. He says you can just hack a CA You know, it's arbitrary any real hacker worth the salt No, when problems are found in CAs and cement echo did a horrible job with their CA system No one knows anything that was compromised in their CA system But that being said Google took hard steps against them said look you guys have some flaws we found in your process We don't like through our security research team So we are now removing and deprecating trust in these and actually shorten the validation of their certificates To make sure Symantec was following process Symantec's answer, which was good Digi-Cert has a great reputation for as a CA. So Digi-Cert Acquired Symantec. I think that's kind of the solution like we're bad at it We're gonna sell it to you guys and you can follow all the details I'm not gonna read it to you, but you get the idea and I'll once again leave both these in here So that was the how that happened now. Let's address the the strange story of extended random And I'm gonna leave this I'm not gonna read the entire article to you But I want you to read through it if you want, but I'll give you the short of it here We do realize that the NSA made some attempts now for Security to work you need Entropy as in random numbers. That's a very important thing So there was some influence that the NSA attempted to create Random number generators that were not so random in a way that works Let's say the random non-jailer, you know produces numbers between one and a billion But it turns out they're not quite so random. It actually let's just say produces more like a thousand different numbers So to the naked eye you'd say wow it just keeps using the same thousand numbers out of a potential billion Therefore it becomes increasing level to heck. This is just a concept. I'm over viewing it real Lightly here, but if you want to read the details the numbers are much bigger than what I'm talking about And we're gonna talk about the actual thing that happened. So we're gonna jump down here and it's called extended random In the course of reverse engineering the Java version of be safe We discovered a funny inclusion specifically we found that be safe supports a non-standard extension of the TLS protocol called extended random The extended random extension is an IETF draft Proposed by the NSE employee named Margaret Salter at some point head of the NSE's information concerns director Which worked on defensive crypto for the DoD along with Eric Rascola as a contractor Eric was very clear hired to develop a decent polls that wouldn't hurt TLS and would primarily be used in Government machines the NSA did not share their motivations with him So in short what they did and what be safe is this is a specific Specific protocol part of the overall RSA and all the details are in here, but it added a certain kind of Nonsense to it to make a more predictive TLS handshake and this is the handshake protocol that is underlying for SSL And it would try to produce under these circumstances now These were only oddly enough targeted at standards for government machines to use and they comment in here and like I said I'm leaving link to this the Systems were never put in place. They can find no active Usage of any of this. So this is all it's a very Extensive and we don't worry We know the NSA is trying and going real hard against this and they are trying to add this and what this actually did I like it actually see the data acts as rocket fuel significantly increasing the efficiency of exploiting dual EC backdoor to decrypt TLS Basically, like I said, you're you're adding instead of having a high entropy It's a lower entropy. So we have less keys to search still not arbitrary to crack still difficult But if you know the predictive keys that this is likely to do you then can say okay out of the billion it only grabs these Thousand so I only have to try these thousand or whatever the number is but it's obviously bigger than that I have to try these fewer smaller Keysets to try to decrypt the data that was encrypted on there now This is also long since broken with some of the other newer things that are on there And of course this never really got in use and wasn't in use because security researchers once again this is all highly open and These math algorithms if you're good at math you can read them and learn for yourself. So You can understand that these were not put in place. They were audited. They were vetted They go this is stupid and didn't use it So this is also why things happen like this and we're gonna go to Bruce Schneier This guy's wicked smart if you haven't read his books go read his books if you got some time We're just read his blog and can get an idea what he's in there also Matthew green really smart guy If you didn't know who Matthew green is by the way, Matthew green. I'm a crypto grot I'm sorry cryptographer and professor at John Hockman's University I've designed and analyzed crypto back-and-systems used in wireless networks payment systems and digital content protection platforms His research is extensive. He's very well respected in the community Not tinfoil hat documents the math and like I said, that's why his poster so long. So is Bruce Shire He's been writing about security issues has some really interesting topics. I've actually had the pleasure of meeting Bruce Schneier He's great guy did a keynote and an event. I was at really smart on these same things very tight on security and cares deeply about privacy so these are two people who are well respected in a community and Definitely great. So this is also Article linked about the the ISO standard rejection of certain NSA encryption algorithms. Yes, a lot of these got rejected So while he's ranting over here, I don't get Some of his stuff because he's not verifying it He's just saying he thinks it's arbitrary to do this or you can arbitrarily man in the middle now He is correct that more complexity Can equate to well statistically is going to there. So if I have a more complicated machine, there's more Potential ways for you to find holes in it. That's fact But that doesn't mean we don't secure things Yeah, it's harder to break into my building with a lock and key But and it is more complicated because a lock and key could fail But it's a lot better than not having any lock and key So if it fails one percent of the time in reality is We do not see people doing this matter of fact what he says is kind of wrong He says we learned through Snowden and all these you know vault dumps of different three letter agencies that they're cracking our encryption No, we actually see the opposite We see that all these hacking tools and ways they want to get on the phone directly is to bypass because they can't just see the Traffic because they can't see the traffic They've had to adopt other methods to get ahead of the traffic to get ahead of The systems because of the encryption that they can't crack and they realize that they failed at cracking encryption So now they do more targeted attacks and we've seen this with the vault seven dumps We've seen this through what Stoughton talks about This is why they do different types because they can't just watch sit back and watch the traffic like he claims here. So Exactly Downright dangerous, I completely disagree with him on that. So is it useful? Yeah, I agree. So I agree with him saying it He was useful not the Holy Grail Sure, I we always are at a constant effort to improve our systems that these things are built on but downright dangerous I'm still using HTTPS and You should be too. I like I said, I normally won't address some of the crazy people out there And I don't I'm not calling him a crazy person. I'm calling this particular video crazy Which you can see the downvotes on it and yeah, I don't really understand what he's going yet here I understand having some extreme views you meet a lot of people like that and You know funny thing I see Richard Solomon down there met him talk about extreme views. Hey, I can respect that But crazy ranting of they can just hack a CA arbitrarily. No, sorry doesn't work that way or Crazy ranting and saying that they can just watch all your traffic with man in the middle. It's like it's not like HTTPS Or TLS. I mean come on the honest they developed it. So it's all back door. No These security researchers and I'll leave you links in the comments in the description below They have vetted it. It's unless he knows these people that can allegedly do this as he calls I think he said the words any hacker worth his salt Please let me know that would be interesting that if the NSA has now employed people that are so brilliantly beyond the scope of what? Major security researchers not just one multiple ones. I've been there's plenty more that have vetted this He knows him. I'm fascinated by that. Maybe Brian knows something. I completely don't know But I'm gonna call them out on this. I do want to talk with him on a show too if he wants to I don't know if he has an interest in talking with me or not, but Yeah, I think he's went off the deep end on this feel free to share your comments though on HTTPS is dangerous I'm curious and if I'm completely wrong, please let me know because I Yeah, I'm kind of lost on this like I said normally don't address craziness But Brian look who's been around a little while and was 5.2 million views on his channel overall There's people watching them. So I figured hey, I'll talk about this a little bit. All right Thanks for watching. Hopefully this was helpful or explanatory or maybe you just think I'm really wrong Let me know what you think in the comments below and as always like subscribe and all that fun stuff. Thanks