[svlug] FYI for all those who don't read slashdot

Marc MERLIN marc_news at merlins.org
Tue Nov 18 15:28:14 PST 2014


On Tue, Nov 18, 2014 at 12:50:38PM -0800, Michael Eager wrote:
> On 11/18/14 12:19, Josef Grosch wrote:
> > http://it.slashdot.org/story/14/11/18/1830229/launching-2015-a-new-certificate-authority-to-encrypt-the-entire-web
> >
> > https://letsencrypt.org/
> 
> While I think that most things that the EFF does are good,
> I'm not so sure about this.  There are significant flaws
> in the Certificate Authority model (see recent IEEE Software
> article, I believe).
> 
> If anyone can obtain a certificate using an automated method,
> what is it certifying?  That someone obtained it using a cheap
> automated server?  Yes.  That the certificate is for who it
> claims to represent?  I'm not so sure.

Your point is valid, but even a self signed certificate adds some
security by simply making the traffic not possible to snoop by others.
An attacker now has to launch a man in the middle against you which is
of course possible, but considerably more effort than just listening
passively.

Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/                         | PGP 1024R/763BE901




More information about the svlug mailing list