On Sat, Mar 15, 2014 at 5:27 AM, carlo von lynX <l...@time.to.get.psyced.org> wrote: > On Fri, Mar 14, 2014 at 04:45:01PM -0500, John Adams wrote: >> Granted, it provides a low level of encryption for clients but it does not >> provide Non-repudiability to those users, opening them up to MitM attacks. > > It is inappropriate to say "opening up to MitM" if the > alternative is plain-text HTTP which can be MitM'd by anyone anytime.
Inappropriate? What part of "false sense of security over HTTPS" are you missing here? If the goal is to secure the connection and then you trust self-signed certs or trust anyone to create any cert for anyone, you've failed. While you're correct in saying that plaintext HTTP can be MiTM'd by anyone, HTTPS with no CA to verify whom the other side is is exactly the same problem and it turns what would normally be a trusted, strong connection into a easily MitM'd one. I think my characterization here is completely appropriate. CAs are there to introduce parties that do not trust each other. Without the CA or an alternate trust system, you're sunk. > Noone has suggested that the user should be given the impression > that an opportunistic https connection is safe: Were I a browser > vendor I would not show any lock icon at all when using this mode > of https operation, Perhaps a "congratulations, this connection's security is a complete and utter falsehood" icon is better here. > What we need from web browsers is: > - a way to accept self-signed certs silently Insanity. > - do not show a lock, operate as if it was plain-text HTTP Now you're telling the truth. > - implement pinning as with Certificate Patrol add-on, so at least > we get to enjoy TOFU Ok, if there is first-time-trust, that's acceptable, but it begs the question, for how long do we trust this pin? > - generate self-signed certs for any plain-text website > and upgrade to TLS/DHE by default You are confusing protocols. > Maybe we should give these self-signed certs a standard CA name, > like using "*" as the name for the CA. *facepalm* -john -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.