Groups | Search | Server Info | Login | Register

Groups > comp.security.misc > #335

Avoid HTTPS when possible?

Show all headers | View raw

After the recent CA desasters, I wonder if one should avoid HTTPS 
whenever possible, in order not to create a false sense of 
security. I registered a .NAME domain some time ago and put some 
contact information there, including OpenPGP key and e-mail 
addresses. I was thinking of putting the URL with 'https' prefix 
on my visiting cards. But then I would like to give visitors the 
opportunity to check whether the site they are connected to is in 
fact run by the person who gave them the visiting card. So I 
would put the SSL fingerprint of my webserver on the visiting 
card, in order that users can check the fingerprint and then 
import the server certificate into their browser. However, this 
is in vain if some CA issues false certificates for my domain.

I do not see much that could be done about it.

So I currently tend to only put an e-mail address and my OpenPGP 
fingerprint on the visiting card (and maybe the .NAME domain, but 
only with 'http' prefix).

What do you think?

I think that it would be best if browsers could be configured to 
associate specific server SSL fingerprints with certain URLs and 
warn whenever there is a mismatch. But this isn't to become 
reality soon, I am afraid.

Back to comp.security.misc | Previous | Next — Next in thread | Find similar

Thread

Avoid HTTPS when possible? Lasse Kliemann <lasse-usenet-2012@mail.plastictree.net> - 2012-01-19 19:00 +0100
  Re: Avoid HTTPS when possible? "Thor Kottelin" <thor@anta.net> - 2012-01-19 20:10 +0200
  Re: Avoid HTTPS when possible? Ivan Shmakov <oneingray@gmail.com> - 2012-01-22 12:28 +0700
    Re: Avoid HTTPS when possible? Lasse Kliemann <lasse-usenet-2011@mail.plastictree.net> - 2012-01-22 10:05 +0100

csiph-web