I don't know of any ISPs that are currently MITMing HTTPS. That seems like something that would be big news and get a CA revoked. Do you have a source for that?
The problem you run into with a decentralized site is you have to mirror massive amounts of data. I think this is what killed usenet. Also spam is hard to fight.
I wonder if a federated Reddit would work. Different subreddits could be hosted on different servers but the accounts could all be connected.
I have been thinking it would be cool to have a Reddit replacement ran by a non profit, similar to Wikipedia. Does anyone here have experience running something like that? I understand non profits are very complex to run.
I thought about this for my project, but decided against it, primarily due to associated complexity. Although I hear there are other business types being created that might be more suitable for websites.
Personally, I don't think profits are bad. But I think being profit driven is. I also think a company can serve a public role and not have to be a non-profit to do it.
App economics are much different from music economics.
From what I have observed, most people (the casual listener) will listen to the free streaming services (pandora, apple radio, etc). When people want to listen to a specific song they listen to it on youtube.
The problem with allowing self-signed certificates has always been distinguishing if a site should be signed by a CA or not. Consider the follow situation:
With the current implementation of browsers Bob knows that example.com should present a CA signed certificate. But what if example.com wants to encrypt their data, but for whatever reason uses a self-signed certificate? Some people say that Bob's browser should not display a "big scary" warning, but instead display a UI similar to when accessing a HTTP site. However, in this situation HTTPS has lost some meaning. I think http2 should work as follows:
http2:// - encrypted, not verified
https2:// - encrypted and verified
This way the protocol still conveys the same level of information.
However, if it were completely up to me, I would say ditch the CAs and use namecoin to verify certificates.
That's more or less what OE does. It allows the browser to use HTTP/2 (and encryption) to connect to a site, but keeps the user experience the same as unencrypted HTTP.
That's why self-signed certificates work in this context; the identity of the server's not supposed to be validated (unencrypted HTTP can't validate server identities), so the browser can accept a self-signed certificate without warning.
There's no change to how certificates are authenticated when accessing a site via an https:// URL.
Using something like Namecoin https://en.wikipedia.org/wiki/Namecoin and storing the cert hashes in the blockchain would allow for decentralized verification.
