Web Encryption is now FICTION. But there's LetsEncrypt…
Web encryption is now completely broken. Recent changes announced in the EU will now ensure that a man-in-the-middle will be common place and we will be made to think that encryption still exists. I will explain this serious issue that really makes our expectation of security and privacy on the internet be complete fiction.
However it is not fiction when you go to websites powered by LetsEncrypt. Let’s find out why.
00:00 Intro
02:55 Web Encryption is Broken
06:06 But Wait…The Real Bad News
09:14 History Will Now Repeat Itself
10:58 LetsEncrypt. The Last Bastion of Trust
13:27 LetsEncrypt Demo
18:10 Summary
———————————–
De-Googled Phones are available on https://brax.me. Around $400. Sign in to the platform to see the store. You will not be asked for personal information like email.
———————————–
Merch Store
https://my-store-c37a50.creator-spring.com/
———————————–
I’m the Internet Privacy Guy. I’m a public interest technologist. I’m here to educate. You are losing your Internet privacy and Internet security every day if you don’t fight for it. Your data is collected with endless permanent data mining. Learn about a TOR router, a VPN , antivirus, spyware, firewalls, IP address, wifi triangulation, data privacy regulation, backups and tech tools, and evading mass surveillance from NSA, CIA, FBI. Learn how to be anonymous on the Internet so you are not profiled. Learn to speak freely with pseudo anonymity. Learn more about the dangers of the inernet and the dangers of social media, dangers of email.
I like alternative communication technology like Amateur Radio and data communications using Analog. I’m a licensed HAM operator.
Support this channel on Patreon! https://www.patreon.com/user?u=17858353
Contact Rob on the Brax.Me App (@robbraxman) for encrypted conversations (open source platform)
https://brax.me/home/rob Store for BytzVPN, BraxRouter, De-googled Privacy AOSP Phones, Linux phones, and merchandise
https://bytzvpn.com Premium VPN with Pi-Hole, Cloud-Based TOR Routing
https://whatthezuck.net Cybersecurity Reference
https://brax.me Privacy Focused Social Media – Open Source
Please follow me on
Odysee
https://odysee.com/$/invite/@RobBraxmanTech:6
Rumble
https://rumble.com/c/robbraxman
by Rob Braxman Tech
linux web server
I use a Proton VPN so they can't see me!
Before I saw this video: Websites owners who use Lets Encrypt certificates are lazy and cheapskate (don't want to spend $100+ each year on a "real" certificate from a "trusted" provider out of a $10,000 – $ million IT budget ). It should only be hobbyist and very small business who uses Lets Encrypt for their hobby projects or a small web blog.
After I saw this video: Websites owner who uses Lets Encrypt certificates is a privacy life saver. *** all other websites owners, who uses other certificates than Lets Encrypt.
I suspect the EU will get away with this for a little while until they either, through the usual bout of incompetence break the internet via this scheme, or find themselves in some high profile mess of political warfare. At that point, I see people rapidly embracing different internet paradigms such as things like zero net.
The government is going to force pandora's box onto the digital world as people embrace the most uncensorable, most opaque options yet envisioned simply because governments never respond well to "no" as an answer…. and always overestimate the ability of populations to enforce that sentiment.
Can someone tell me what this law he’s mentioning is called? Was it already voted? I can’t find any news about it
SSL/HTTPS was always about control and censorship. Soon no one will be permitted to publish on the Internet unless in possession of a good-standing encryption certificate: And paid-up, as well.
Browsers and those that control the Internet will permit no traffic to any site not with same.
That was the plan all along, not the “security and privacy” canard.
And you don’t want to know CloudFlare’s role in censorship, either.
I had heard that your bunker had been hit by a jetliner. But no. Best wishes. Merry Christmas. Mass surveillance is another term for Marketing. It's all marketing – from objects to ideas, from actions to beliefs. So .. fix the PKI. Change it.
God bless your beautiful brain, Rob.
Thanks, again, Rob! And, thanks for leaving a moment at the end to click, "like."
Rob I think you didn't understand PKI encryption or I havn't.understood. Imho it works that way: I generate a key pair with openssl keygen on my PC. Now I send the public key to a CA. The CA checks my identy and then signs the key. By signing the key the key promotes to a certificate. I can have several certificates for my key. The certificate is proving my identy as far as someone trusts the signing CA. The communication using keys that I generated myself is safe because only I have the private key. If someone trust a key generated by a third party he should begin reading about PKI once more. If you have doubts about a certificate you can always rely on the public key you get from an other channel (remember the 2FA method). In this light LetsEncrypt certificates are snake oil because LetsEncrypt has probably a copy of the private key. certbot is generating The only reason to use LetseEncrypt Certs for my servers is that browsers behave in a frenzy if you use a selfsigned certificate. The browser maker are fooling users. It may be a risk to trust a selfsigned cert, you can't be sure to whom you have a connection but the line itself is safe.
how trustworthy is digicert?
As usual, a great video tutorial warning message about our personal security ONLINE. Thanks for making and sharing 🙂
Governments like to hack and destabilize secure connections.
Pretty sad state of affairs, but I'm not surprised.
Zero trust.
your comments on lets encrypt are completely bonkers given that you assume others will misuse the root certificate keys. why on earth would lets encrypt not do the same? you are 100% assuming that lets encrypt, controlling 300 million hosts they can spoof, and more, is 100% honest.
It's by design the system of trust assumes trust is implied. I had a project a while ago were I needed to debug the communication between a proprietary android app and a API server hosted by third party. I installed my own generated certificate authority into android, setup a router that intercepted DNS requests and provided my proxy server as the domain of the the host API. I then signed my proxy server certificate with my certificate authority allowing my proxy to look like the target API server. This is actually easy if you know how. Again this system is designed to be flawed to support spying most certificate authorities are registered and operated out of the US. Haven't people wondered how the US can intercept emails or bank transfers. Or how Apple phones can be decrypted. Public private key security is only secure if you trust the authority.
Wait a sec. If EU and others give themselves the right to do root ceritficates and try to make it illegal to remove them then isn't it completely irrelevant who issued your certificate? From your other videos such a bad actor can MITM all the traffic. Am I missing something? Isn't the real solution to remove these middlemen entirely and go with something decentralized and provably trustworthy like having DNS and public key stuff on blockchain with only the owner having say the proper NFT token to be able to change the information?
Would using a VPN protect your web traffic from being read?
I just saw that you offer a VPN service 🙂
There's a war going on that much bigger than this . . . it's a battle for your SOLE not your bank account.
This is what happens when the folks who make law have absolutely no idea what any of this stuff means.
ROB when are you going to review the COPA vs Wright trial coming up this jan 15? I am wondering why you don't speak about it, since you are so up to date on everything else in the computer science industry.
As soon as I saw the heading "But Wait…The Real Bad News" I knew it was about EU even before I started to listen to this part.
Idiots are required to believe gafam private key are in a safe place eg derivating root key. Every mass media is perfectly monitored against constitution of most country! Thanks for your video.
For a good internet with a good privacy / security ration is to have a safe place to store "comments" as democratic and trustable regulation of service. Making statistics on it is very important and low resources requiered, very easy to add as browser plugins. Too much "comments" are disabled without effective reason.
Second thing using new IPV6 adresses that encoding directly average gps location of the device for a more efficient legit survey; If you have location, you can know if private key can be share with your client by an other local network, like a 2 factors authentification.
"You basically install and run their software on your server…." — what could possibly go wrong?
Your create a false sense of security with this video. Let's encrypt is not safe at all. In your case, a FISA warrant under the nose of your DNS hosting (AWS) and they can generate a certificate for your domain. Yes Let's encrypt can protect against some type of attack, but not against 3 letters agency.
IMO the PKI design is not the problem, after all it’s just a tool and it is doing its job, right? The problem is that we give the absolute ultimate trust to a cew hundreds of root certificates, just because, and not all of their owners have a solid reputation. Basically everyone got used to the fact that the “green lock icon” in the web browser means that everything is encrypted. Non-tech-savvy people never even dived into the understanding of PKI, and most people that even understand how it all works choose to also blindly trust them.
I have decided for myself that it’s not a problem at all for me to maintain my own CA, so part of my web resources that are intended to be used only by my family use the certificates signed by my own root CA. I have installed it to my devices manually and it works great. It is also convenient to establish mutual-tls connections this way and make sure that no one will be able to even connect to, let’s say, my password manager, if he or she is not supposed to. Services intended for a public use just use normal letsencrypt certificates.
In general I am 100% agree with the message of the video. You cannot and should not really give too much trust if thr CA is issued not by the non-profit organization with decent morals and crystal clean reputation and processes, but rather by some government, especially if we are talking about a country where the government invests billions into surveillance systems to spy on their citizens. This is why folks in China remove some certificates from their systems and custom android images. I am from Russia and I never ever trust the russian government CA, and if I need to enter some government website, I do it only in a dedicated virtual machine, and I believe that some other root CAs deserve the same treatment as well
Does anyone know how to bypass YouTube ads? Brave doesn’t anymore
Using nginx proxy manager its even easier to get a letsencrypt cert automatically from the web interface.
1984 is NOW!
Is it true or false disabling the 2G cell network setting on your Android can prevent a Man in the Middle?
Anything that's for "free" more often then not turns out to be selling your data or spying on you in some way to give info to someone who pays, how else is it financially viable to keep running. Let's encrypt just sounds like the key to the castle to me.