-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Sunday 12 December 2010 at 2:15:50 AM, in <mid:4d043056.40...@sixdemonbag.org>, Robert J. Hansen wrote: > On 12/11/2010 6:22 PM, MFPA wrote: >> A question on the subject of SSL/TLS certificates and HTTPS: often >> there is no user requirement to "authenticate" the identity of the >> server, but rather a simple requirement to prevent snooping; why does >> this need a certificate? > Otherwise the snooper could just use a MitM and you'd > be none the wiser. I'd be no worse off than if the connection had just been plain vanilla http. > When you visit Amazon.com, both you and Amazon need > some way to ensure you're talking to the real McCoy. > Amazon authenticates you by having you provide a > username and password. In the instance that I'm only browsing around on Amazon and not actually ordering any books at the moment, I would not sign up and create a username/password. But I might not wish for my ISP to log all the books I looked at in case the government wanted to know... > You authenticate Amazon by > checking their SSL cert and seeing that it was issued > by a trusted authority. Or do I just notice the padlock icon and the yellow addressbar indicating an encrypted connection? > If you didn't check the SSL cert, I could provide a > self-signed SSL cert, have you accept it, and then do a > MitM on your connection. Since my browser would display a warning about untrusted certificates, I'd be likely to notice that. If you provided a cert signed by a CA that my browser trusts, and that matched your server details so no warning was displayed, I probably wouldn't notice. (Of course, there are browser add-ons to detect changes of certificate on previously-visited sites...) > Next thing you know, you've > paid for all my Christmas shopping... To me, the page where payment details are entered does not look much like an example of "no user requirement to authenticate the identity of the server, but rather a simple requirement to prevent snooping." - -- Best regards MFPA mailto:expires2...@ymail.com Success isn't how far you got, but the distance you travelled from where you started -----BEGIN PGP SIGNATURE----- iQCVAwUBTQRBXqipC46tDG5pAQq/UgP+Mq8u/+5KCco37haU1/S8tAF8U2lMr3RK Rr9fFBwew8FiPYbkVydKa0DE3lWDGGQjCzGlGWVfArg/Xibr6qKQxVFwI+EF9f2T 9s4dl4mR1ecIQHb5WxHjncQRENGZE/76ai55tDPz9mMryu2CuCW+OtoY2QmOYHDo 7lq5a56bNGI= =F+JO -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
