Avoid HTTPS when possible?
- From: Lasse Kliemann <lasse-usenet-2012@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 19 Jan 2012 19:00:17 +0100
After the recent CA desasters, I wonder if one should avoid HTTPS
whenever possible, in order not to create a false sense of
security. I registered a .NAME domain some time ago and put some
contact information there, including OpenPGP key and e-mail
addresses. I was thinking of putting the URL with 'https' prefix
on my visiting cards. But then I would like to give visitors the
opportunity to check whether the site they are connected to is in
fact run by the person who gave them the visiting card. So I
would put the SSL fingerprint of my webserver on the visiting
card, in order that users can check the fingerprint and then
import the server certificate into their browser. However, this
is in vain if some CA issues false certificates for my domain.
I do not see much that could be done about it.
So I currently tend to only put an e-mail address and my OpenPGP
fingerprint on the visiting card (and maybe the .NAME domain, but
only with 'http' prefix).
What do you think?
I think that it would be best if browsers could be configured to
associate specific server SSL fingerprints with certain URLs and
warn whenever there is a mismatch. But this isn't to become
reality soon, I am afraid.
- Prev by Date: Obama Blocking Avoidance of Security || Nobel Prize Cheat || Knew Laden Earlier
- Next by Date: Re: Avoid HTTPS when possible?
- Previous by thread: Obama Blocking Avoidance of Security || Nobel Prize Cheat || Knew Laden Earlier
- Next by thread: Re: Avoid HTTPS when possible?