Sure, but the communication is still encrypted.
Good point, but what’s the point in encrypting data if it just goes straight onto the hands of an adversary?
Sure, other adversaries can’t also steal a copy of the same data, but I’m not sure if that’s really a concern if you’ve just handed your bank account login to gangsters. They can’t steal your savings if someone else already stole them first, if you catch my drift. And if it’s some other random login-password combos, you’ll just end up with your password in two darkweb dumps rather than one.
I’m not saying that you’re wrong, but it’s a relatively minor distinction. Both self-encrypted https and plain http deserve big warnings for end-users.
I suppose it’s all pointless anyway, now that I think about it. The NSA’s BULLRUN can purportedly break TLS-based encryption. I’d wager that they backdoored themselves at the cert-isssuers, Clipper-chip style.
So I find it funny that when you access http site you don’t get a warning about the site being unsafe…
What browser are you using? I use Firefox, Mullvad Browser, and occasionally Chromium (all on Linux), and they all complain about plain http sites (as far as I recall).
Not really. Anyone can self-sign a certificate, even someone conducting a Man-in-the-Middle.
By allowing self-signed certs, the average user could be lulled into a false sense of security. These users could easily believe that they have connected directly, securely, and safely to a website, when they have actually connected to an impostor site or a MitM proxy.
There are a lot of liberals and libertarians involved in FOSS, to the point where some FOSS and FOSS-adjacent media (ie ‘Slashdot’) is practically unreadable. Even the most (in)famous FOSS advocate, Richard Stallman, has appeared on Infowars and is reportedly a sex pest. But there are comrades involved in FOSS too, and there are obvious benefits from avoiding corpo lock-in and corpo spyware (what they call ‘telemetry’), so… there’s that.
The NSA’s BULLRUN program suggests that the TLS encryption is compromised anyway. My money is on certificate authories having given the NSA a backdoor ‘for national security’. I don’t think that they need to compromise an app directly.
If you need to communicate privately, please don’t use an open forum. Use an OS without telemetry (not Windows), make self-generated keys for GPG emails or OMEMO chat, and verify the key signatures directly with your comrades. If you need to communicate anonymously, bear in mind that there is no silver bullet.