On 05/05/2019, Jeffrey Walton via cfarm-users
<cfarm-users@lists.tetaneutral.net> wrote:
> On Sun, May 5, 2019 at 2:55 PM Olly Betts via cfarm-users
> <cfarm-users@lists.tetaneutral.net> wrote:
>> But even a list on an https protected web page seems better than just
>> having to trust on first use.
>
> +1, trusted distribution channels.
Just a technical mini-point: https is cracked. There are hundreds of
"trusted" certificare issuers, including, for example, the Library of
Budapest. To man-in-the-middle an https transaction, you only need to
corrupt one of the "trusted" CIs, issue falsies. With hundreds to
choose from it's a doddle, and the NSA has millions in budget for
exactly that purpose!
I was always worried about the "certificate issuer" thing. And it
turns out I was right!
M
_______________________________________________
cfarm-users mailing list
cfarm-users@lists.tetaneutral.net
https://lists.tetaneutral.net/listinfo/cfarm-users
