[tahoe-dev] SSL samurai attack migration ninjas, film at 11

Olaf TNSB still.another.person at gmail.com
Sat Oct 29 05:46:37 UTC 2011


Shawn,

I'm not sure that I could be as relaxed about self signed certs as you. It
feels a lot like when I download code with a gpg/pgp signature where the
signing key hasn't been signed by anyone...

I think the web of trust idea is probably the solution for SSL certs, but I
may be wrong.  :P

However, saying that, I found the following article from the EFF useful...

https://www.eff.org/deeplinks/2011/09/post-mortem-iranian-diginotar-attack

I'm using Certificate Patrol (mentioned). I don't know that it makes me any
safer, but I sure as hell feel more aware of the huge # of cert replacements
that occur in my daily net usage.

Cheers,

Olaf

P.S. Apologies about the TOFU. I'm still learning my phone's email app.
On 29/10/2011 5:05 AM, "Shawn Willden" <shawn at willden.org> wrote:

> OT:  Does anyone else think it's crazy that web browsers flash huge red
> warning signs when they see a self-signed cert, as though that's a clear
> indication of some sort of attack being attempted, which is almost never the
> case?
>
> It's always seemed to me than an appropriate browser response to a
> self-signed cert is to accept it and use it to establish an encrypted
> session, but not to display the lock icon or anything else that would make
> the user think this page is especially secure.  For bonus points, browsers
> could implement ssh-style notification of server key changes.
>
> But the sort of big scary warnings browsers now display makes no sense to
> me.
>
> On Fri, Oct 28, 2011 at 10:22 AM, Brian Warner <warner at lothar.com> wrote:
>
>> The tahoe-lafs.org server has moved! But, we had a hiccup with the SSL
>> certificate on the new server. While Zooko gets a new one generated and
>> installed, there is a self-signed certificate in place. So don't be
>> surprised if you see the "OMG SELF-SIGNED CERT NOO!" warning (known as
>> the "Larry Dialog" in firefox). It should be fixed within a couple of
>> hours, so don't feel obligated to bypass the warning.. just check back
>> in later.
>>
>> migration!
>>  -Brian
>> _______________________________________________
>> tahoe-dev mailing list
>> tahoe-dev at tahoe-lafs.org
>> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
>>
>
>
>
> --
> Shawn
>
> _______________________________________________
> tahoe-dev mailing list
> tahoe-dev at tahoe-lafs.org
> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20111029/fb099ddf/attachment.html>


More information about the tahoe-dev mailing list