On 10/08/15 14:38, Volker Braun wrote:
On Monday, August 10, 2015 at 11:42:16 AM UTC+2, vdelecroix wrote:
I agree with you: from a technical point of view this is stupid.
It is not. There is no security without the chain of trust. Maybe in a
parallel universe where everybody is so far on the autistic spectrum that
they religiously verify finger prints over a second channel, but not in the
real world.
It is. There is no security without the chain of trust. And I do not
trust certificate authority. If a trusted certificate authority X
provides me a certificate for google.com then I can be a man in the
middle. What prevent them for doing so? This is a very weak design.
Moreover, who can be a certificate authority?
Let me propose something less stupid: the first time you access to a
website you have to accept the certificate manually (if you wish you can
have a look at the fingerprint). Then, until it changes nothing happens
(the very same way ssh works). It does not prevent certificate authority
to keep signing the certificate if they wish.
Right now, if a certificate changes but it is certified, you browser
will not alert you. But it definitely should.
--
You received this message because you are subscribed to the Google Groups
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sage-devel+unsubscr...@googlegroups.com.
To post to this group, send email to sage-devel@googlegroups.com.
Visit this group at http://groups.google.com/group/sage-devel.
For more options, visit https://groups.google.com/d/optout.
