On 5/19/2010 10:32 AM, Eddy Nigg wrote: > On 05/19/2010 05:37 PM, From Jean-Marc Desperrier: >> >> Or investing some serious time evangelising the SSL site owners into >> using a real certificate. >> >> But the statu quo doesn't work. > > Amen! And you know what - today there is NO reason whatsoever not to get > real certs, they are available from free to very little these days. > Certainly for sites which use self-signed certs those are sufficient.
I've been https for various projects for years and years and I just learned this the other day. Perhaps one identifiable improvement here is that this ability to get acceptable certs easily could be made more widely known? >> I collected a page of links on my blog. All of them raises SSL warning. >> Not one is actually an attacker. > > You don't know actually. But it's not important for you either. Good point. Has nobody else used the internet from a hotel or other location which did a MitM on you? It's been tried on my SSL connections. Some of these jokers are injecting scripts into web pages. This is not cool with me in general and I was glad to be alerted to it by the SSL cert error page. >> Still one could for example think about an option to crowdsource the >> answer. Crowdsourcing is interesting but it's hard to quantify from a security perspective. How is it different than, say, trusting an identity based on the number of friends on some popular social networking site? If you actually have something worth attacking, I would suspect that it could be subverted fairly easily with spammer and SEO-type techniques. >> Not automatically, but have an button when you meet the problem that >> ask to the network if "svn.boost.org + this certificate imprint" is a >> fake or not. > > How do you know? May I just say that the Boost C++ library project is awesome? - Marsh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
