Kool-aid is delicious.
Since when ? You could not even give us that as kidsā¦ we just did not do kool aid.
I prefer to not lock my house because the lock company has a copy of the key.
click bait title, first proposition is full of holes.
Not sure what the angle is these days but i wish he wouldnāt do it.
Certificates expiring is dangerous? Really.
Apparently when you get a certificate your job is done and you never renew them?
Who knew. Not sure why my server keeps renewing my letsencrypt certificates. Renewal is good in these cases.
Fake certificates are easy to makeā¦
No their not.
He seems to suggest that its as trivial as āspoofing a hashā of a CA i presume to make fake certificatesā¦ source? example?
SHA
Apparently because it was designed by the NSA it cant be trusted?
Iām done, this is ridiculous paranoia, and jumped to conclusions with no sources or examples. What a horribly researched video to put out, makes the community look super good. Iām wondering what the purpose of that video is? Just for the money and clicks and attention? Or is he just oblivious.
This should have been on Lunduke files. (crazy ramblings show)
So seeing as the thread opener doesnāt have a description what is tl;dr of that video?
tl:dr
EDIT: Also the lock company MIGHT have a copy. But probably not.
Arenāt they all?
I know heās a friend of L1T and started Jupiter Broadcasting, but Iāve never been a fan of the guy. He just spews nonsense with a āThese are just my opinionsā disclaimer so no one can call him out.
This is just a copout, that might be fine if its just a video of your opinion about something that happened say, but when your saying you cant trust SHA because the NSA designed it, or that HTTPS is dangerous, you better support your claims with researched facts.
This is one of the worst videos Iāve seen him make.
Agreed. Usually his videos arenāt bad. (Unless itās Friday)
Considering he has some fair prominence, this is a very disappointing video. I hope it doesnt influence anyone new to this stuff.
There isnāt really much other Linux video content, so his comes up a lot. Maybe there should be a counter video 
Itās not disappointing, itās downright dangerous.
Agreed. I might try and go through and make counter points if i can, just needs some time to research and provide suitable evidence. (what a novel concept)
I mean he does bring up some valid points but what would concern me is who is allowed to be a CA these days and that doesnt just affect HTTPS. There is a fair bit of tin foil involved here for sure.
I wouldnāt bother. The infosec community is laying into him so someone will have something soon. Iāll post something when I see it. Iāve been waiting for the registry to lay into him.
Iām going by his logic. But yea agreed.
Thereās fairly good controls on this. A CA making a mistake can and has ended their business. Symantec as a CA for example is no more, their few mistakes has lead to the gradual district for their root certificates and exclusion from use.
Some decent points from a comment on his video
Author: Miha Frangež
Certificates expire: Yes, domain names expire too. You donāt want the previous owner of your domain to be able to spoof traffic, do you? Also, if your certificate is stolen, it can only be used for a limited time.
Itās easy to fake certificates: Is it? I wouldnāt call essentially hacking a CA easy. Sure, there have been bugs in their software, but that isnāt an inherent flaw of HTTPS.
SHA was developed by the NSA: Bryan, oh, Bryanā¦ This is borderline paranoia. Not everything made by the NSA is bad (SELinux, etc.). The mathematics has been checked again and again. Last time the NSA tried to put backdoor in encryption (the elliptic curve thing) it was found by independent researchers.
3.1) The NSA can read our encrypted traffic. You call this a fact, but it is simply not true. All the cases (that I know) of ANY spy agency bypassing HTTPS was by forcing a CA to issue a fake certificate or by forcing the site to give them the real one. An inherent problem of the CA model, yes, but it isnāt a backdoor in the way you describe it.
3.2) The NSA wrote our random number generators: You can use whatever RNG you want. Uranium, kittens in a boxā¦hell, Cloudflare uses a wall of lava lamps. I donāt think the backdoored RNG is still being used anywhere.
Adding complexity: Encryption is, by definition, complex. Yes, plaintext has less complexity. But if the added complexity makes HTTPS 20% less secure (and it doesnāt), thatās still 80% more security than plain text.
No reason to encrypt lunduke.com: The security isnāt needed, true, but privacy and authenticity are. One could, for example, MITM me and add an article, supposedly by you, talking about a really cool program that actually has a trojan in it. Or, in the privacy case, your site might be labeled as āextremistā by some governments. I wouldnāt be suprised if your site is already on one of those NSA keyword watchlists. HTTPS, along with DNSSEC, would leave no indication, that someone visited your site (assuming you donāt self-host, but at that point you have bigger problems). [this isnāt entirely correct since initial SSL handshake contains hostname in clear text]
Still trying to consider his pointsā¦but his points on the government developing some of the methods does present valid concerns to me as i am not likely to trust government anything. I am of the mind that better security is good but consider completely trusting an entity as slapping on blinders.