[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Holy shit I caught 1



On Wed, Aug 30, 2006 at 03:14:47PM +0200, fis@xxxxxxxxxxxxxxxxx wrote 3.5K bytes in 93 lines about:
: and there is another issue that hasn't been brought up: even if the
: certificate is valid and non-bogus, there may be an attack.

	One can purchase a completely valid cert for $25 and a phone
	number you provide as authentication.  Every browser will accept
	it without question.

	CAs don't do anywhere near the level of validation and
	authentication of the cert owner as users think they do.

	Self-signed certs can be more secure if you personally know the
	signer and can verify the various fingerprints out of band.
	Good luck trying to do this with any large company's cert.

-- 
Andrew