On Thu, Mar 19, 2009 at 05:28:13AM -0400, Gregory Maxwell wrote: > People are unlikely to spend $$ to give their fake https sites real ca > signed certs. Its easy to test for, impossible to fake, and given how > the browser vendors handle self signed certs someone could claim they > are trying to defeat security risks by blocking self signed > webservers. >
I've seen quite a number of legit sites with self-signed certs. It could be the case that the operator of the site is a hobbyist, and short on cash. For example, I seriously considered using a self-signed cert for my https://www.mangrin.org remailer web page, although I ultimately went with cacert.org's free offering. > So I would guess that would put an upper limit on the level of disguse > the common node would get. The ability to multiplex with a real ca > signed https server might allow a few nodes to achieve better cover. > If bridges could produce an Apache "It works!" page along with a self-signed cert, it'd look like someone testing their web server. One challenge would be making that cert look like something generated from the OpenSSL command line tools. -- Christopher Davis Mangrin Remailer Admin PGP: 0x0F8DA163
