Gervase Markham wrote: > It should not convey the impression that it's more, but it should not > convey the impression that it's less.
Actually As far as I'm concerned this is a moot point, because it still instils a false sense of security, just slightly modified from what your suggesting... > Encryption protects you from unknown people eavesdropping on your > conversation. How useful is that protection when you have no way of > knowing who you are conversing with? Since the browser doesn't warn about changing certificate fingerprints you can't assume that you are still talking to who you think you are either, while harder to exploit, not impossible for a CA to issue a fraudulent certificate which can be used by (ISPs, Government agencies, anyone else with a sufficiently large wad of cash) to man in the middle traffic, and after all if you have a sufficiently large wad of cash to pay lawyers to draw up policy documents, then pay more case to WebTrust to say yes you adhere to your policies, you too can be included in any browser you like! Basically this whole argument is based on the principal that CAs aren't corrupt, or aren't able to be given a gag order and an order to comply to some government's wishes. Not to mention one or more CAs openly advertise they do a lot of snoop services? So at the end of the day we're all pretty much only able to assume SSL can protect non-important passwords, and credit card numbers, after all any government worth it's salt should be able to obtain the later without resorting to traffic interception. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
