Re: Avoid HTTPS when possible?



Ivan Shmakov <oneingray@xxxxxxxxx> wrote:
Lasse Kliemann <lasse-usenet-2012@xxxxxxxxxxxxxxxxxxxx> writes:

[...]

So I would put the SSL fingerprint of my webserver on the visiting
card, in order that users can check the fingerprint and then import
the server certificate into their browser. However, this is in vain
if some CA issues false certificates for my domain.

AIUI, it's not. A CA could indeed issue a false certificate for
the domain name. However, it isn't that easy to make it possess
the same fingerprint, as it's the server's public key that the
fingerprint is computed from.

Actually, the whole point of CA's is to simplify public key
exchange. In a world where everyone is able to just send his or
her own public keys, or (though less secure) their respective
fingerprints, to everyone, there's no need in CA.

Ultimately, yes, I believe that the WoT approach will offer
better security than the current CA's, but that's going to take
a lot of education and responsibility.

As far as I have been told, as soon as there is at least /one/ CA
imported into the browser which says OKAY to the server
certificate, no questions will be asked. It is not as with SSH
for example, where any deviation from the 'IP <--> fingerprint'
mapping known at client-side (known_hosts) triggers an alarm.
.



Relevant Pages

  • Re: Re: Certificate problem
    ... > only one certificate ... IE verify the CRL ... signed by the same certifier with root key, and a server certificate ... the browser did request the crl and crl was returned to the machine. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Issue with CRL process in IE
    ... I have created an internet certifier (self-signed certificate), ... signed by the same certifier with root key, and a server certificate ... the browser did request the crl and crl was returned to the machine. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: SSL components
    ... > that I want to generate a SSL certificate that I can use on a web site. ... clients you are in control of which root certificate you want to include ... The browser might use online LDAP for verifying the server ... If you just want to know how to practically create a server certificate ...
    (borland.public.delphi.thirdpartytools.general)
  • RE: Checkpoint smart defance as IPS
    ... the browser trusts all certificate authorities ... *any* SSL/TLS communication without tampering anything on the client ... website a client visits on-the-fly. ...
    (Security-Basics)
  • RE: Checkpoint smart defance as IPS
    ... you claim that SSL/TLS can be intercepted and MITM is ... social engineering and not MITM or interception for that matter. ... don't have private key for the certificate on that website. ... You claimed that browser only checks for domain name ...
    (Security-Basics)