> If this solution would solve the problem in such an easy way, why isn't > it already in use for more than a decade? Recent studies going at task > with those accessing SSH servers have shown that most users simple edit > their known_hosts file - those people are way more knowledgeable than > the casual users. It doesn't work... Probably most of you are thinking of how to prevent MITM attack in general, especially for self signed certificate or equivalent -- SSH.
What I want is different, I want to prevent the case where a trusted CA abuses the power. Currently, if a CA decides to create a rogue certificate to MITM attack a few selected people, that CA will most likely go away undetected and unpunished. This kind of attack is the real life threat, raised to awareness by the controversy of CNNIC. The way to solve it is not to inform people of each potential attack, because there will be too many false positive, pushing people to just ignore it, rendering the scheme ineffective. The way to solve it is to let a small number of relevant and knowledgable people aware of the incident, so the public can bring the violator to the justice. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
