SSH and HTTPS are both a strong protection against traffic sniffing, but are prone to MitM in some cases.
Certificate signing means nothing, because:
1. There are countless of CA all around the world, and every single one of them can issue a certificate for any domain.
2. If you're in corporate network, it's usual to add corporate CAs to a CA list in order for local resources to work. But it means that corporate CA can issue a certificate for any domain.
Even worse than that, TLS is vulnerable to so called "compelled certificate creation attack". Which means that a legitimate CA can be forced to issue a fraudulent certificate that can be used for mitm later. See http://files.cloudprivacy.net/ssl-mitm.pdf .
SSH is in fact more secure than HTTPS, because it stores public key locally. If you connect to a legit host once, you can feel safe connecting to it later, because you have the public key. SSH also provide a possibility to obtain a fingerprint from DNS, so if you manage to secure your connection to a public DNS server, you are safer than with HTTPS.
I'm eagerly waiting for DANE protocol to be widely accepted, but until then HTTPS protection against MitM is a myth.
10.12.2013, 01:40, "Simon" <[email protected]>:
--By design HTTPS/TLS is supposed to protect against man-in-the middle! Isn't that what certificate signing is all about? Else we could just all generate our own certificates. SSH on the other hand does not really prevent MitM (but mitigates it slightly with fingerprints). Correct me if I'm wrong here..
On Thursday, December 5, 2013 4:25:53 PM UTC-8, Alex Kocharin wrote:
Yeah, shasums are usually pgp signed.
HTTPS is a protection against traffic sniffing, nothing more than that. While it's nice to use it everywhere, it doesn't really protect against MitM.
On Tuesday, December 3, 2013 1:10:29 AM UTC+4, Igor Partola wrote:This is a security issue. For example this announcement of 0.11.9 availability (http://blog.nodejs.org/2013/11/20/node-v0-11-9-unstable/) is served in plaintext, such that the SHA1 signatures can be tempered along with the binaries to run arbitrary code on the target machine. Note that there is no option to access any resource on *.nodejs.org via HTTPSPlease enable HTTPS on this site. Additionally, please provide checksums using algorithms other than SHA1, such as SHA256.--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
