[liberationtech] Authenticating SSL certificates via QR codes?
Natanael
natanael.l at gmail.com
Sun Dec 29 11:28:05 PST 2013
Your certainly can, and the easiest way is with SSH, and then there are
other options like I2P with the minimum tunnel length, and there's
pagekite.
- Sent from my phone
Den 29 dec 2013 20:17 skrev "Uncle Zzzen" <unclezzzen at gmail.com>:
> Sometimes we run small web servers on out notebook or phone. In most
> [maybe all] cases, there's a risk running them in cleartext http.
>
> The problem with SSL is that certificates build on domain names. The
> assumptions are:
>
> 1. The server has an IP number that is fixed, and globally-recognized
> (i.e. not a local 192.168... one).
> 2. The clients can access the internet (and all those dns and ca
> servers it needs in order to authenticate the servers). This is not always
> true. Worse. It's not always desirable (e.g. piratebox).
>
> So we end up using a self-signed cert<https://gist.github.com/thedod/8136275>and we hope no one is MITMing us the
> *first* time we OK it [?].
>
> *Can't we do this via QR codes?*
>
> Maybe it's possible to have a browser plugin that adds a "verify via QR
> code" button to the SSL warning page.
>
> Users would get the QR code from a trusted *person* (e.g. the bartender)
> not a location (e.g. sticker on the server box that can be replaced by
> attackers).
>
> A social engineering (+ MITM) attack is still possible, but this is
> something that is easier to warn people against.
>
> So my quesions are
>
> - Is this a good or a bad idea?
> - How hard would it be to implement as addons to desktop/phone
> browsers?
>
> Incentive: if you build it - I promise to do "IP block party": a piratebox
> clone with a built-in icecast server and turntable.fm-ish DJ queue. You
> feel me now?
>
> Happy holidays,
>
> The Dod
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20131229/52a6e070/attachment.html>
More information about the liberationtech
mailing list