HTTPS is Dangerous

Yay, another controversial one! Sorry for the wall of text, but I really hope you can get the time to respond. Let's go through it, one by one: 1) Certificates expire: Yes, domain names expire too. You don't want the previous owner of your domain to be able to spoof traffic, do you? Also, if your certificate is stolen, it can only be used for a limited time. 2) It's easy to fake certificates: Is it? I wouldn't call essentially hacking a CA easy. Sure, there have been bugs in their software, but that isn't an inherent flaw of HTTPS. 3) SHA was developed by the NSA: Bryan, oh, Bryan... This is borderline paranoia. Not everything made by the NSA is bad (SELinux, etc.). The mathematics has been checked again and again. Last time the NSA tried to put backdoor in encryption (the elliptic curve thing) it was found by independent researchers. 3.1) The NSA can read our encrypted traffic. You call this a fact, but it is simply not true. All the cases (that I know) of ANY spy agency bypassing HTTPS was by forcing a CA to issue a fake certificate or by forcing the site to give them the real one. An inherent problem of the CA model, yes, but it isn't a backdoor in the way you describe it. 3.2) The NSA wrote our random number generators: You can use whatever RNG you want. Uranium, kittens in a box...hell, Cloudflare uses a wall of lava lamps. I don't think the backdoored RNG is still being used anywhere. 4) Adding complexity: Encryption is, by definition, complex. Yes, plaintext has less complexity. But if the added complexity makes HTTPS 20% less secure (and it doesn't), that's still 80% more security than plain text. 5) No reason to encrypt lunduke.com: The security isn't needed, true, but privacy and authenticity are. One could, for example, MITM me and add an article, supposedly by you, talking about a really cool program that actually has a trojan in it. Or, in the privacy case, your site might be labeled as 'extremist' by some governments. I wouldn't be suprised if your site is already on one of those NSA keyword watchlists. HTTPS, along with DNSSEC, would leave no indication, that someone visited your site (assuming you don't self-host, but at that point you have bigger problems). As a conclusion, I would like to say that as it stands now, I trust your social media accounts (Twitter, YT, Mastodon) more than I do your website. I hate social media, but at least I can be sure that changing what I'm reading would take much more than just 6 lines of Python.

hey lunduke did you pay the electric this month LOL

Bryan Lunduke is dangerous!

Please link your sources. Having an opinion on something contrary to the mainstream is fine but I would really like to read what you have that has made you take this position.

Those technologies have been developed by government agencies but they have been verified by independent researchers and implemented by independent developers. It's hard to put backdoors in math, much easier to do it with the implementations though.

Bad logic, get things together.

As someone that does public events you really think your site would have HTTPS. It just takes one person with a WiFi Pineapple or FruityWifi device or any other rouge access point sitting in the crowd at one of your speaking events to put up a fake version of your site on their rouge access points to serve malware to people that might visit your site to get more information about you. Without even having HTTPS on your site you just make their job easier since they do not have to try and sslstrip the connection or create fake certs.

Dude you’re talking nonsense today.

Is it just a long excuse not to bother get a certificate for lunduke.com ? maybe.

You cannot keep saying 'We know that for a fact' the entire time. Can you please provide some sources for your claims? That would make you a lot more credible. I understand your concerns, but please, give us your sources.