Groups | Search | Server Info | Login | Register
Groups > comp.security.misc > #337
| Path | csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!aioe.org!.POSTED!not-for-mail |
|---|---|
| From | Ivan Shmakov <oneingray@gmail.com> |
| Newsgroups | comp.security.misc |
| Subject | Re: Avoid HTTPS when possible? |
| Date | Sun, 22 Jan 2012 12:28:38 +0700 |
| Organization | Aioe.org NNTP Server |
| Lines | 27 |
| Message-ID | <86k44k71bt.fsf@gray.siamics.net> (permalink) |
| References | <5b6b58.6lp.19.1@news.alt.net> |
| NNTP-Posting-Host | FtDGZaUx6k7Bzdiv4MgYAg.user.speranza.aioe.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=us-ascii |
| X-Complaints-To | abuse@aioe.org |
| User-Agent | Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux) |
| X-Notice | Filtered by postfilter v. 0.8.2 |
| Cancel-Lock | sha1:XQd15L4A+l11PDIyECbwAYMKs3I= |
| Xref | x330-a1.tempe.blueboxinc.net comp.security.misc:337 |
Show key headers only | View raw
>>>>> Lasse Kliemann <lasse-usenet-2012@mail.plastictree.net> writes: [...] > So I would put the SSL fingerprint of my webserver on the visiting > card, in order that users can check the fingerprint and then import > the server certificate into their browser. However, this is in vain > if some CA issues false certificates for my domain. AIUI, it's not. A CA could indeed issue a false certificate for the domain name. However, it isn't that easy to make it possess the same fingerprint, as it's the server's public key that the fingerprint is computed from. Actually, the whole point of CA's is to simplify public key exchange. In a world where everyone is able to just send his or her own public keys, or (though less secure) their respective fingerprints, to everyone, there's no need in CA. Ultimately, yes, I believe that the WoT approach will offer better security than the current CA's, but that's going to take a lot of education and responsibility. [...] -- FSF associate member #7257
Back to comp.security.misc | Previous | Next — Previous in thread | Next in thread | Find similar
Avoid HTTPS when possible? Lasse Kliemann <lasse-usenet-2012@mail.plastictree.net> - 2012-01-19 19:00 +0100
Re: Avoid HTTPS when possible? "Thor Kottelin" <thor@anta.net> - 2012-01-19 20:10 +0200
Re: Avoid HTTPS when possible? Ivan Shmakov <oneingray@gmail.com> - 2012-01-22 12:28 +0700
Re: Avoid HTTPS when possible? Lasse Kliemann <lasse-usenet-2011@mail.plastictree.net> - 2012-01-22 10:05 +0100
csiph-web