[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Nodoka 0.7 beta 1 released



Matthias Clasen <mclasen <at> redhat.com> writes:
> Making it this annoying may be the only way to get some of the web sites
> fixes. I'd certainly hope that it has this effect for the RH/Fedora
> servers...

"Get them fixed" as in "force them to shell out loads of money to the 
certificate cartels"... What security does this bring in practice? Consider 
that many phishing sites have valid (!) SSL certificates, whereas several 
legitimate sites have self-signed certificates.

And no, I don't need a theory rehash about man-in-the-middle attacks, I know 
that valid certificates prevent these, but in practice MITM isn't what's used 
for real-world attacks, phishing-gangster-at-the-other-end is, and SSL 
certificates have shown highly vulnerable to these (because let's face it, the 
certificate cartels' real motivation is to make money, they'll do as few 
verifications of their clients as they'll get away with).

        Kevin Kofler


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]