I am struggling to comprehend how allowing everyone between you and the services you use to view not only the metadata but the content as well could possibly be considered privacy-preserving.
It’s kind of an unorthodox take, but I’m guessing the idea is that if corporations perceived that they didn’t have secure ways to protect stuff, they would refrain from gathering as much stuff, because they would be afraid of the liability. And btw the perception / reality distinction is important here in supporting this theory.
I disagree. What makes corporations afraid of liability are laws enforcing liability. We never got those, and I don’t see why weaker encryption would’ve created them. We could, for example, have meaningful penalties when a company leaks passwords in plain text.
in your mind, ssl won't leak anything. and non ssl leaks everything.
make a list of everything you can infer without a cert looking on a ssl connection. then add on top of that all the things people with the cert or control over CAs can see and make a list of them all
when you're done you notice ssl is not perfect as you think and the extra request and no cache compound all that.
> make a list of everything you can infer without a cert looking on a ssl connection
This exactly, and not just connection but connections, plural. If the network observes my encrypted connection to ocsp.apple.com followed by another encrypted connection to adobegenuine.com, an analyst could reasonably assume I'd just opened an Adobe Creative Suite app. Or if they see ocsp.apple.com followed by update.code.visualstudio.com, I probably just opened VSCode. Auto-updaters are the same kind of privacy scourge and every additional connection makes it worse.
