On Mon, Aug 12, 2013 at 11:10:39AM +0200, Guido Witmond wrote: > There is another problem. You rely on HTTPS. Here is the 64000 dollar > question: > > Q._"What is the CA-certificate for your banks' website?"_ > > I ask that question to anyone who claims to be security conscious. No > one has given me positive answer so far. Not even a wrong answer. Only > that people don't know. > > So I take it for granted that people won't verify anything, ever.
FWIW, I did run my browser in "trust on first use" (TOFU) mode -- I deleted all the CA certs and manually added exceptions for each site, as I encountered the certificate warnings -- for several years. I've given up on that for modern websites because - sites frequently include resources from other hostnames, and JS/CSS https errors are silently ignored by Firefox - loadbalanced websites frequently have multiple certificates for a single hostname, and Firefox only allows a single certificate exception per hostname - expiration times have come down to, generally, 1 year, and with multiple certs per page, I was approving a new cert for most pages at least once every few months, decreasing the value of Trust in TOFU. So in some sense I would have been able to answer that "what is the cert for your bank", by saying "the one that I approved last year and has been correctly working since then". But the world has passed that model by. -andy -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
