On Mon, 6 May 2019, 06:11 Martin Guy via cfarm-users, < cfarm-users@lists.tetaneutral.net> wrote:
> On 05/05/2019, Jeffrey Walton via cfarm-users > <cfarm-users@lists.tetaneutral.net> wrote: > > On Sun, May 5, 2019 at 2:55 PM Olly Betts via cfarm-users > > <cfarm-users@lists.tetaneutral.net> wrote: > >> But even a list on an https protected web page seems better than just > >> having to trust on first use. > > > > +1, trusted distribution channels. > > Just a technical mini-point: https is cracked. There are hundreds of > "trusted" certificare issuers, including, for example, the Library of > Budapest. To man-in-the-middle an https transaction, you only need to > corrupt one of the "trusted" CIs, issue falsies. With hundreds to > choose from it's a doddle, and the NSA has millions in budget for > exactly that purpose! > If you're worried about that, using shared servers that almost anybody can get a local account on is probably a bad idea anyway :-) Verifying you're connecting to the right host doesn't help much if bad actors have a login to the host. > I was always worried about the "certificate issuer" thing. And it > turns out I was right! >
_______________________________________________ cfarm-users mailing list cfarm-users@lists.tetaneutral.net https://lists.tetaneutral.net/listinfo/cfarm-users
