-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/14/2014 12:46 PM, Lucas Gonze wrote: > Let's say web servers auto generated self-signed certificates for > any domain that didn't supply its own certificate, likely one from > an authority. > > What that would accomplish is to make the stream unreadable over > the wire, unless the attacker was willing and able to do an MITM > with their own auto generated self-signed certificate. > > It would not be hard to do that MITM, but it would be orders of > magnitude more expensive than copying unencrypted bytes off the > router. It would not be practical to do the MITM against a large > portion of traffic. The attacker would have to pick their targets. > > Thoughts?
Things like Convergence by Moxie Marlenspike and friends could make self-signed certificates much easier and safer to use. Notaries are the way to go IMHO. https://www.convergence.io Cypher -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIbBAEBCgAGBQJTI04CAAoJEFuutbL6JoJrmlUP+NmtxZ1idpNpVPSuGlzTOrbD cx6PrHxW3BYCb1ts4guUXCPma1d52hNkvkcPuad/QNNtmr2ZdtWp0+CiO+BICMOz zhpiF70Xsmc+6pFVlmHD48xZbD1g/78d/uypZQYSf0t3i3FERKXQSHQbTYtrcFgR EXPOQBev8WVYdqul/YN2kEJP5W4LFN6UsW6V5PUDlmQHALggoBlTkExYQjWkNyGZ du9pGSOSP9BET7gC16Hb732F1GiXV4UV9nej5vVnjdh/UmjPNBxJvktnBixB2t+8 Ghqit+1SVuegCWeTHIt4U7gejxkdSVopmB2vb4vkvW3WV4B/ReKL97rKuh6wsjqY etR7d/hsCat91X22Fw+S8yN6N1QtPOJUQ+XTrptUezaYOvcXu+8Hyt9vRRZvL+6S Eyis0CeYaepOJmM/dpm5KLhb/NGenwLZfRx0pEk1v6euu/Y1VdGDQCkfUdweS6Ac mw4E7hbcvCg2XyABbDHXkVsMze80ZYFJK9m17lelxmFmh4YUrg9ratIS6I3kz0mK Hv5goTNKBu4w65w++N/WME2clDW3N6IcuVjhdMmjCIns8XeTuTzaq8VFvVROi4qO k15ApAjjn+Yn/TiaUNL2gXzFJBX2ZGetwOdO8dD4rNREIMDWkVC4qvfvvew4+yi7 cPeYRnh5X3OumI09BDQ= =z2Hd -----END PGP SIGNATURE----- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.