Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.security.misc > #338

Re: Avoid HTTPS when possible?

From Lasse Kliemann <lasse-usenet-2011@mail.plastictree.net>
Newsgroups comp.security.misc
Subject Re: Avoid HTTPS when possible?
Date 2012-01-22 10:05 +0100
Organization Altopia Corp. - Usenet Access - www.altopia.com
Message-ID <5bd8tp.qfk.19.1@news.alt.net> (permalink)
References <5b6b58.6lp.19.1@news.alt.net> <86k44k71bt.fsf@gray.siamics.net>

Show all headers | View raw

Ivan Shmakov <oneingray@gmail.com> wrote:
>>>>>> Lasse Kliemann <lasse-usenet-2012@mail.plastictree.net> writes:
> 
> [...]
> 
> > So I would put the SSL fingerprint of my webserver on the visiting
> > card, in order that users can check the fingerprint and then import
> > the server certificate into their browser.  However, this is in vain
> > if some CA issues false certificates for my domain.
> 
>   AIUI, it's not.  A CA could indeed issue a false certificate for
>   the domain name.  However, it isn't that easy to make it possess
>   the same fingerprint, as it's the server's public key that the
>   fingerprint is computed from.
>
>   Actually, the whole point of CA's is to simplify public key
>   exchange.  In a world where everyone is able to just send his or
>   her own public keys, or (though less secure) their respective
>   fingerprints, to everyone, there's no need in CA.
>
>   Ultimately, yes, I believe that the WoT approach will offer
>   better security than the current CA's, but that's going to take
>   a lot of education and responsibility.

As far as I have been told, as soon as there is at least /one/ CA 
imported into the browser which says OKAY to the server 
certificate, no questions will be asked. It is not as with SSH 
for example, where any deviation from the 'IP <--> fingerprint' 
mapping known at client-side (known_hosts) triggers an alarm.

Back to comp.security.misc | Previous | NextPrevious in thread | Find similar

Thread

Avoid HTTPS when possible? Lasse Kliemann <lasse-usenet-2012@mail.plastictree.net> - 2012-01-19 19:00 +0100
  Re: Avoid HTTPS when possible? "Thor Kottelin" <thor@anta.net> - 2012-01-19 20:10 +0200
  Re: Avoid HTTPS when possible? Ivan Shmakov <oneingray@gmail.com> - 2012-01-22 12:28 +0700
    Re: Avoid HTTPS when possible? Lasse Kliemann <lasse-usenet-2011@mail.plastictree.net> - 2012-01-22 10:05 +0100

csiph-web