On Fri, Sep 09, 2011 at 04:57:55PM +0200, Aristotle Pagaltzis wrote: > * Arthur Corliss <corl...@digitalmages.com> [2011-08-28 21:40]: > > My humor was perhaps too subtle, since you didn't get the > > relevance of my reply. Google switching to SSL by default is as > > pointless as metacpan. In the former case it's the "protection" > > of delivery to/from an entity that not only doesn't have your > > best interest at heart, but has a business built on exploiting > > *your* information for *its* benefit. Utterly pointless. > > Protecting your communication with another party from third > parties needs no justification whatever. It should be the assumed > default that exceptions are made from, not the exception from the > rule requiring proof. > > If I’m having a massive argument with my personal foe #1, the > fact that I distrust this person on all conceivable levels does > not make you welcome to eavesdrop on the conversation. > > It does not matter the very least bit how trustworthy the other > party is: uninvited third parties have no business knowing what > you do or do not say to the other party. [snip the rest of an e-mail with more excellent arguments]
I also wonder why is it that nobody has so far brought up another important consequence of using SSL, at least with a trusted certificate at the other end - protection from not just eavesdropping, but also man-in-the-middle attacks. Yes, it seems kind of... weird... to think of MITM attacks against MetaCPAN, but with just a little bit of further thinking, it's not all *that* weird - and now you've all started me wondering how difficult it would be to "catch" an HTTP file transfer of a previously unknown Perl module out of the air, hijack it, unpack the tarball, add a couple of lines to Build.PL (or Makefile.PL or whatever), repack it and pass it on down the line :) No, of course I'm not going to seriously sit down and write code doing that. Still... I really wonder why no one brought MITM attacks up yet :) G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence every third, but it still comprehensible.
signature.asc
Description: Digital signature