Let's say web servers auto generated self-signed certificates for any domain that didn't supply its own certificate, likely one from an authority.
What that would accomplish is to make the stream unreadable over the wire, unless the attacker was willing and able to do an MITM with their own auto generated self-signed certificate. It would not be hard to do that MITM, but it would be orders of magnitude more expensive than copying unencrypted bytes off the router. It would not be practical to do the MITM against a large portion of traffic. The attacker would have to pick their targets. Thoughts?
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
