On Sat, 2 May 2020 10:14:13 +0200 Davide Prina <davide.pr...@gmail.com> wrote:
> On 01/05/20 22:00, Rebecca N. Palmer wrote: > > On 01/05/2020 20:31, Elmar Stellnberger wrote: > >> https isnĀ“t any more secure than http as long as you do not have a > >> verifiably trustworthy server certificate that you can check for. As > >> we know the certification authority system is totally broken. > > > > Imperfect yes, but still better than nothing. > > There is another problem: implementation. Not all the software that > implement HTTPS verify the validity of the certificate and the validity > of all the certification chain. I am not a security expert, but see my argument here with the Debian ssmtp maintainer over whether a package that advertises TLS functionality but fails to check the received certificate (and does not mention this anywhere in its documentation) should be considered to have an 'important' bug ;) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662960#51 Celejar
