-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Saturday 11 December 2010 at 11:49:23 PM, in <mid:[email protected]>, Daniel Kahn Gillmor wrote: > On 12/11/2010 06:22 PM, MFPA wrote: >> A question on the subject of SSL/TLS certificates and >> HTTPS: often there is no user requirement to >> "authenticate" the identity of the server, but rather >> a simple requirement to prevent snooping; why does >> this need a certificate? > "prevent snooping" means "only me and the remote server > i'm connected to has access to the communication". > if you don't know who the remote server actually *is*, > you cannot prevent snooping by a man-in-the-middle. That's a fair point; it depends on the threat model. RFC 5246 says the authentication is optional, but that completely anonymous connections only provide protection against passive eavesdropping, and server authentication is required where active man-in-the-middle attacks are a concern. But couldn't a man-in-the-middle server authenticate by presenting the user's browser with an acceptable certificate signed by a "trusted" CA? And is a self-signed certificate any more or any less secure in this scenario? - -- Best regards MFPA mailto:[email protected] Was time invented by an Irishman named O'Clock? -----BEGIN PGP SIGNATURE----- iQCVAwUBTQQv/KipC46tDG5pAQpW0AP/bAu1BH4NQMa95FaZ89A2kB2gdE4koxmj xhKTdTLwnW/PHLPch1vCk6YAPkZxlxAr1wrTi7Mp/9zZWJ5HDi/IZqMnEKyCB7nX GVe/zuVzd1U2HjIK9IvTzko7UIek9YSNmKE94ejz5Bo/c/1AXZ32xgrZ0w97US6k LdhIQd2Np+Q= =RAF9 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
