* Daniel Kahn Gillmor <[email protected]>, 2014-01-13, 23:03:
if the only axis we're measuring along is cryptographic security, then
protecting against passive attackers (eavesdroppers) is clearly better
than not doing so.
but if people think that CUPS' TLS protects them against active
attackers, and they use that to do things like send confidential
information over the link, they have been lulled into a false sense of
security.
Hear, hear.
So, how would people feel about the following policy:
TLS clients must either:
- validate server certificates;
- or prominently document that they don't do that?
?
--
Jakub Wilk
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
