[liberationtech] self signing certs by default

[Cypher]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 03/14/2014 12:46 PM, Lucas Gonze wrote:
> Let's say web servers auto generated self-signed certificates for
> any domain that didn't supply its own certificate, likely one from
> an authority.
> 
> What that would accomplish is to make the stream unreadable over
> the wire, unless the attacker was willing and able to do an MITM
> with their own auto generated self-signed certificate.
> 
> It would not be hard to do that MITM, but it would be orders of 
> magnitude more expensive than copying unencrypted bytes off the
> router. It would not be practical to do the MITM against a large
> portion of traffic. The attacker would have to pick their targets.
> 
> Thoughts?

Things like Convergence by Moxie Marlenspike and friends could make
self-signed certificates much easier and safer to use. Notaries are
the way to go IMHO.

https://www.convergence.io

Cypher


-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIbBAEBCgAGBQJTI04CAAoJEFuutbL6JoJrmlUP+NmtxZ1idpNpVPSuGlzTOrbD
cx6PrHxW3BYCb1ts4guUXCPma1d52hNkvkcPuad/QNNtmr2ZdtWp0+CiO+BICMOz
zhpiF70Xsmc+6pFVlmHD48xZbD1g/78d/uypZQYSf0t3i3FERKXQSHQbTYtrcFgR
EXPOQBev8WVYdqul/YN2kEJP5W4LFN6UsW6V5PUDlmQHALggoBlTkExYQjWkNyGZ
du9pGSOSP9BET7gC16Hb732F1GiXV4UV9nej5vVnjdh/UmjPNBxJvktnBixB2t+8
Ghqit+1SVuegCWeTHIt4U7gejxkdSVopmB2vb4vkvW3WV4B/ReKL97rKuh6wsjqY
etR7d/hsCat91X22Fw+S8yN6N1QtPOJUQ+XTrptUezaYOvcXu+8Hyt9vRRZvL+6S
Eyis0CeYaepOJmM/dpm5KLhb/NGenwLZfRx0pEk1v6euu/Y1VdGDQCkfUdweS6Ac
mw4E7hbcvCg2XyABbDHXkVsMze80ZYFJK9m17lelxmFmh4YUrg9ratIS6I3kz0mK
Hv5goTNKBu4w65w++N/WME2clDW3N6IcuVjhdMmjCIns8XeTuTzaq8VFvVROi4qO
k15ApAjjn+Yn/TiaUNL2gXzFJBX2ZGetwOdO8dD4rNREIMDWkVC4qvfvvew4+yi7
cPeYRnh5X3OumI09BDQ=
=z2Hd
-----END PGP SIGNATURE-----