How do you convince yourself that Graphene OS, Tails OS, Tor browser, or any other security tools, grant you true privacy when something as security critical as https is fundamentally flawed?

We rely heavily on https for providing a secure means of doing online banking, sending instant messages, downloading programs - almost everything. For a lot of browser oriented tasks, there is no alternative protocol, or protocol extension to safeguard communications. However, with the advent of Signal, and there being many alternative ways of installing a new program on your machine (e.g. compiling from source), online banking is a particular concern that remains.

Online banking with fiat currencies only functions with browsers and iOS/Android applications, and these functions both rely on https for loading pages, and subsequent API calls. If you truly did not believe in https efficacy in securing your communications, you’d have to visit your bank’s local branch in person because there is no https alternative.

• Interesting aside: These days, many top banks, including Scotiabank, which is the 37th largest bank in the world by total assets, mandates that you install their mobile app on your phone in order to utilize their online banking services. You can sign in on the mobile app without additional 2FA authentication, but when you try to log in using a Desktop browser, you are required to open the Scotiabank app and confirm it’s you trying to log in. This seems backwards to me because “mobile is not secure”. In May 2024, I have personally called Scotiabank on the phone, asking them to revoke the rule which requires using their mobile app, and was told it simply is not possible now that I have activated the mobile app, so to speak.

Tor also uses https, and it’s even likely you downloaded it from the clearnet using https if you are on Windows, or MacOS which, together, make up over 87% of the worldwide desktop OS market share. This means, Tor, a technology believed to grant any user the ultimate private and anonymizing experience on the internet, relies on https.

Your browser uses https to encrypt your connection to a web server without a “WARNING: trust certificate?” message because some certificate authority (CA) such as IdenTrust or DigiCert which, together, make up over 57% of the worldwide issuer markeshare, say it’s OK to use. If you create and sign a certificate yourself, you removed the glowing CA concern, but then there is still the possibility the glowies can squash 2048 bit Diffie Hellman key exchange like they did with 1024 bit DH in LogJam, or perhaps apply some other voodoo such as deep packet inspection to see exactly what you’re up to.

My idea to combat this, at least for instant messaging applications, is to have everyone generate their own, custom, idiosyncratic ciphers and/or encryption methods to use in tandem with the current industry security standards. While not fool proof, https will filter most skids, and it will also mandate that glowies look over the data personally in order to understand it, thereby exacerbating their resources.

I would like to hear your opinions on this matter. Thank you.