On Mon, Aug 23, 2010 at 8:58 AM, morphium <[email protected]> wrote: >> I can see it could provide some >> protection against ssl/ssh mitm attacks. > > No. Why do you think it could?
- because by default applications trust either a large, promiscuous set of certificate authorities, or even worse, use the operating system supplied list of trusted authorities. - because by default applications do not or cannot utilize mitigating measures like perspective based certificate retrieval and consensus from varying endpoints or sources. - because by default applications may not support robust cipher suites or handle some aspects of protocol or session negotiation poorly / incorrectly / insecurely. - because by default applications don't support a persistent, mobile store of trusted server certificates built up over time, which a proxy could provide (Tahoe LAFS / encrypted $cloud storage for your certificate store available wherever you need it.) - lots of additional reasons... *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
