Sometimes we run small web servers on out notebook or phone. In most [maybe all] cases, there's a risk running them in cleartext http.
The problem with SSL is that certificates build on domain names. The assumptions are: 1. The server has an IP number that is fixed, and globally-recognized (i.e. not a local 192.168... one). 2. The clients can access the internet (and all those dns and ca servers it needs in order to authenticate the servers). This is not always true. Worse. It's not always desirable (e.g. piratebox). So we end up using a self-signed cert<https://gist.github.com/thedod/8136275>and we hope no one is MITMing us the *first* time we OK it [?]. *Can't we do this via QR codes?* Maybe it's possible to have a browser plugin that adds a "verify via QR code" button to the SSL warning page. Users would get the QR code from a trusted *person* (e.g. the bartender) not a location (e.g. sticker on the server box that can be replaced by attackers). A social engineering (+ MITM) attack is still possible, but this is something that is easier to warn people against. So my quesions are - Is this a good or a bad idea? - How hard would it be to implement as addons to desktop/phone browsers? Incentive: if you build it - I promise to do "IP block party": a piratebox clone with a built-in icecast server and turntable.fm-ish DJ queue. You feel me now? Happy holidays, The Dod
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
