Michał "rysiek" Woźniak · 🇺🇦Jun 7, 2024

Lukewarm take:

When I see general* "security advice" that mentions "do not use public WiFi" or "use a VPN", I am immediately suspicious about all other advice offered.

Yes, a decade ago that was a consideration, because most sites were not using HTTPS. Credentials were flying cleartext on the wire.

Today, almost all sites use HTTPS. Doesn't mean the risk is zero, but it's way lower.

*) "general" meaning "without a very specific threat model in mind", meant for general public, etc.

#InfoSec

Show threadMichał "rysiek" Woźniak · 🇺🇦Jun 7, 2024

Actually, downgraded that take to "lukewarm", it should really not be controversial at all these days. It's been a hot minute since LetsEncrypt changed the HTTPS landscape!

What is beyond me is that such "security advice" still gets pushed. 

Show threadMichał "rysiek" Woźniak · 🇺🇦Jun 7, 2024

Also, shout-out to @letsencrypt for dramatically changing the security landscape of the Web for the better over the years.

Rarely is there an example of a project so effective and so directly improving everyone's lives, while at the same time keeping the original engineering mindset and just Doing Stuff Right™ humbly in the background.

Next November it will have been exactly a decade since LE started. We all owe them a huge 10th birthday party.

#InfoSec

Show threadmathew
@rysiek @letsencrypt I wish they'd start offering S/MIME certificates. If we could normalize that, phishing would be much less of a problem.
Jun 8, 2024 at 8:57pmWeb
Show threadviqJul 3, 2024
@mathew @rysiek @letsencrypt IIRC CACert.org does do S/MIME certs, though they're quite a different model, and never got widely included like LE did.