Re: Avoid HTTPS when possible?
- From: Lasse Kliemann <lasse-usenet-2011@xxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 22 Jan 2012 10:05:11 +0100
Ivan Shmakov <oneingray@xxxxxxxxx> wrote:
Lasse Kliemann <lasse-usenet-2012@xxxxxxxxxxxxxxxxxxxx> writes:
[...]
So I would put the SSL fingerprint of my webserver on the visiting
card, in order that users can check the fingerprint and then import
the server certificate into their browser. However, this is in vain
if some CA issues false certificates for my domain.
AIUI, it's not. A CA could indeed issue a false certificate for
the domain name. However, it isn't that easy to make it possess
the same fingerprint, as it's the server's public key that the
fingerprint is computed from.
Actually, the whole point of CA's is to simplify public key
exchange. In a world where everyone is able to just send his or
her own public keys, or (though less secure) their respective
fingerprints, to everyone, there's no need in CA.
Ultimately, yes, I believe that the WoT approach will offer
better security than the current CA's, but that's going to take
a lot of education and responsibility.
As far as I have been told, as soon as there is at least /one/ CA
imported into the browser which says OKAY to the server
certificate, no questions will be asked. It is not as with SSH
for example, where any deviation from the 'IP <--> fingerprint'
mapping known at client-side (known_hosts) triggers an alarm.
.
- References:
- Avoid HTTPS when possible?
- From: Lasse Kliemann
- Re: Avoid HTTPS when possible?
- From: Ivan Shmakov
- Avoid HTTPS when possible?
- Prev by Date: Re: Avoid HTTPS when possible?
- Next by Date: Very Huge collection of Solutions Manuals & Test Banks
- Previous by thread: Re: Avoid HTTPS when possible?
- Next by thread: Very Huge collection of Solutions Manuals & Test Banks
- Index(es):
Relevant Pages
|
