There was a mild uproar recently about Firefox adding a feature that could allow mozilla to push out extension blacklists or something, or disable extensions entirely for a specific site (for "security" of course). I'd read the details but all I have is a reddit link and all the libreddit instances are ratelimited rn: r/MozillaInAction/comments/14rt5jx/firefox_115_can_silently_remotely_disable_my/
so I just saw an HSTS popup and was reminded: there's already a sorta analagous feature that restrict's the user's ability to make their own decisions on privacy/security matters: HSTS. It prevents users from loading a page without working HTTPS even if they want to take that risk, and it is controlled by the site owner entirely, the user has no say.
HSTS is not really that anti-user, it just enforces secure transfer, you'd be an idiot to take the risk of using HTTP, and should also enforce HTTPS from the client-side whenever possible.
But let's talk about AGP cards, now those were anti-user.
Shoulda gone with PCI-X!
But actually this is just a joke about Blanchard
I mean sure but like, if https is broken, bypassing the cert check can be useful. with hsts you are at the mercy of the server operator to keep their shit working. if you know the risks you should be able to bypass it.
Occasionally there's discourse about how certificate authorities can be abused, like if a government insists that their mitm cert is included or a corporation refuses to allow the cert of someone they don't like. But, with the rise of popular services like Let's Encrypt that give out certs to anyone without asking questions, the chance that CAs get abused is pretty low I think. So https is a improvement in privacy and anything like hsts is good.
Not allowing users to let themselves get MITM'd is good, actually
I think we should always have a way to bypass that kind of thing though. Use a secret keyboard command and then have to type "Yes I would very much like to get hacked and have all my data stolen thank you" verbatim maybe. I don't think we should ever be flatly saying "no" to the user If they know what they're doing and want to take the risk.
