Hi, after the Snowden revelations and even before, there is this real and present danger of man-in-the-middle attacks for today's browsers. The hierarchical X.509 model is flawed especially since national security letters allow the NSA to get pretty much anything certified.
Yes, it is possible to check the certificate (or the fingerprint), but who does that? Apropos, why is the SHA1 and MD5 fingerprint hidden behind 3 clicks? Can't we add some visual fingerprint in the window that pops up, when I click the lock symbol? What about creating a distributed hash-table, where we could count collectively, which public-key has been used by a particular server how often? When I visit amazon.com and my browser tells me, that I am the only one who got that public-key I'm having, I know immediately, that I am not really communicating with Amazon. just my 2 cents -- Raphael -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
