[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How evil is TLS cert collection?



On Mon, 21 Mar 2011 09:05:30 -0400
Joseph Lorenzo Hall <joehall@xxxxxxxxx> wrote:

> It strikes me that I'd want notice (or the option to get notice)
> before submitting rare certs to the database... say a dialog like:
> "We're about to submit the certificate for the following site, [x] ok,
> [ ] no, do not submit this certificate. ([ ] remember this preference
> for this certificate)." My reasoning is that I should usually have a
> good idea when I'm expecting a rare/self-signed cert, and if I'm not
> expecting it, I'd probably want to submit it. Does that make sense?
> best, Joe

No.

1. The extension cannot determine whether you have a ârareâ certificate
   without querying the database.

2. If users do not report self-signed certificates that they expect to
   see, the database cannot be used to detect man-in-the-middle attacks
   on sites that use self-signed certificates.


Robert Ransom

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk