On the Web, HTTPS Has Actually Become a Privacy Problem (Broadcasting Usage/Access to the All-Seeing CA Eye). Geminispace Doesn't Have This Problem.
Down to 23 capsules: the rapid demise of Certificate Authority (CA) Let's Encrypt in Geminispace
THE Linux Foundation's Certificate Authority continues its rapid decline in Geminispace. It's one heck of a fall.
To quote Lupa today: "This page presents some statistics on the current state of the Gemini space. It has been updated on 2024-10-07 03:04:00Z. [...] 2587 (89.7 %) capsules are self-signed, 23 (0.8 %) use the Certificate Authority Let's Encrypt, 274 (9.5 %) are signed by another CA (may be not a trusted one)."
It's down from about 12% a couple of years ago to just 0.8% right now.
On the Web, HTTPS by default would likely be OK if sites were allowed to sign their own certificates, vouching for their own authenticity rather than outsourcing trust (presenting yet another layer of risk). Over the weekend someone asked: "What about dealing with sites which have self-signed TLS certificates? I think there can be a work-around for that in RRRRRR. The hard part would be fetching the individual certificates for local caching."
In practice, as the Web requires a Web browser or Web client, the Web does not 'support' self-signed TLS certificates. It supports that in theory, but the "modern" browsers have already decided that they're rotten (TLS certificates can never be trusted) and those browsers basically set the "standard". In the command line, curl and wget decided that by default they won't trust that either. Maybe those defaults aren't even possible to bypass anymore. The same is true for some Web/socket libraries in various programming languages; they could in theory facilitate sign-signed certificates and they decided not to. So self-signed TLS certificates, at least in 2024, are for sites inside intranets maybe, not the World Wide Web. In my last job I installed WordPress in that way (this was some years ago). Maybe the latest Chrome and Firefox would no longer accept that, even for some intranets where there's no good reason to exposed usage patterns to CAs outside the intranet.
Well, the situation on the Web keeps getting worse; even intranets are impacted. Companies like Microsoft and Google want a complete log of which domains (or sites) people access and they call that "security", even "privacy". Gemini Protocol does not have this issue. No such pretences. No "eye of Sauron".
Shall we call it the "See Eye A" (CIA)? Or "the All-Seeing CA Eye" (CAI)? Jokes aside, don't believe fake security posers and "clowns" just because they repeat talking points from GAFAM. Their goal isn't security but the opposite. █