[liberationtech] Authenticating SSL certificates via QR codes?

[Uncle Zzzen]

Sometimes we run small web servers on out notebook or phone. In most [maybe
all] cases, there's a risk running them in cleartext http.

The problem with SSL is that certificates build on domain names. The
assumptions are:

   1. The server has an IP number that is fixed, and globally-recognized
   (i.e. not a local 192.168... one).
   2. The clients can access the internet (and all those dns and ca servers
   it needs in order to authenticate the servers). This is not always true.
   Worse. It's not always desirable (e.g. piratebox).

So we end up using a self-signed
cert<https://gist.github.com/thedod/8136275>and we hope no one is
MITMing us the
*first* time we OK it [?].

*Can't we do this via QR codes?*

Maybe it's possible to have a browser plugin that adds a "verify via QR
code" button to the SSL warning page.

Users would get the QR code from a trusted *person* (e.g. the bartender)
not a location (e.g. sticker on the server box that can be replaced by
attackers).

A social engineering (+ MITM) attack is still possible, but this is
something that is easier to warn people against.

So my quesions are

   - Is this a good or a bad idea?
   - How hard would it be to implement as addons to desktop/phone browsers?

Incentive: if you build it - I promise to do "IP block party": a piratebox
clone with a built-in icecast server and turntable.fm-ish DJ queue. You
feel me now?

Happy holidays,

The Dod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20131230/9185b4ed/attachment.html>