Hi Tony, but are fingerprints even a good idea?
I don't think so, and they are not necessary for the most part. I'm working on a way to bring down the number of fingerprint checks to zero (for most people), and one (for those who can understand the concept). This is accomplished by using blockchains to distribute public key fingerprints. There is a working implementation of this called DNSChain (one of the projects that I'm working on): http://github.com/okTurtles/dnschain DNSChain makes it possible to check a fingerprint (for the DNSChain server) once, and from then on never worry about it again. One of the goals of DNSChain is to secure TLS from MITM attacks, and thereby secure HTTPS (and all other protocols that depend on TLS) from such attacks. Simultaneously, it greatly simplifies network security for end-users. Details are on the GitHub and this blog post: http://blog.okturtles.com/2014/02/introducing-the-dotdns-metatld/ Cheers, Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Mar 11, 2014, at 6:33 AM, Tony Arcieri <[email protected]> wrote: I feel like solutions that rely on manual verification of key fingerprints fall into this category: http://i.imgur.com/2bEWKNS.png I don't think these solutions are providing effective security. I feel we need to start from the real needs of real users, and work backwards. One can propose a study for optimum time-based fingerprint verification and study fingerprint accuracy, but are fingerprints even a good idea? I feel that's where you need to start with any sort of usability study. Cryptocat's usability studies are addressing this problem. Short Authentication Strings are addressing this problem. Solutions for optimal fingerprint comparison accuracy, IMO, are ignoring the problem, and studying the wrong solution. Thoughts? -- Tony Arcieri _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
