[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: https proxy [was polipo]

To: or-talk@xxxxxxxxxxxxx
Subject: Re: https proxy [was polipo]
From: coderman <coderman@xxxxxxxxx>
Date: Mon, 23 Aug 2010 11:40:14 -0700
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Mon, 23 Aug 2010 14:40:23 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=3w/P6mC6/qnZo0at7urPwFS08xO9qNdZKIOXFBn13fc=; b=Xt7KkELiTEvTR0h12fY3rBRiTE2pX7TCPEq1eTjY7JsubxE0cfRRbYKYptiAno2IAl is45uNJwC7csXNoYvmFaoZRrj+evylCXc7jeLbEu+4Xk8kpid7a/wdJKxSnd3mCnLaRK a4OGrnCopjR20ZyJB537eZu4DmiPZfufK0lAE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=S8GBNTEMVTkXHVH/sfNw8X8n3oS0eWwXI2JdzPDkWmBwJNWjr38CSah9QYjIwWGmlD P1Je2gQn696O8L/vtIk07xbkqYbZhpqnat8cklSDyfwe1MiwfFZ2c3osEd/RmOJO/rwi 9ZjyYHkwCWFBNhk6MPmYZ7R8UX7JiQpjYt8+c=
In-reply-to: <AANLkTinJjZqY4vh7G-xkoTQE+-KukhLTCKyOq-v7kLTS@xxxxxxxxxxxxxx>
References: <AANLkTikPQeJEAfp8r0gro4F=SLq-=9ZROMZsiBVjm6Sg@xxxxxxxxxxxxxx> <AANLkTineqyTCda70XjyZLF=a7o=ZOT7JmCFK0FAY_tBe@xxxxxxxxxxxxxx> <AANLkTinJjZqY4vh7G-xkoTQE+-KukhLTCKyOq-v7kLTS@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On Mon, Aug 23, 2010 at 8:58 AM, morphium <morphium@xxxxxxxxxxxxx> wrote:
>> I can see it could provide some
>> protection against ssl/ssh mitm attacks.
>
> No. Why do you think it could?

- because by default applications trust either a large, promiscuous
set of certificate authorities, or even worse, use the operating
system supplied list of trusted authorities.

- because by default applications do not or cannot utilize mitigating
measures like perspective based certificate retrieval and consensus
from varying endpoints or sources.

- because by default applications may not support robust cipher suites
or handle some aspects of protocol or session negotiation poorly /
incorrectly / insecurely.

- because by default applications don't support a persistent, mobile
store of trusted server certificates built up over time, which a proxy
could provide (Tahoe LAFS / encrypted $cloud storage for your
certificate store available wherever you need it.)

- lots of additional reasons...
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

Follow-Ups:
- Re: https proxy [was polipo]
  - From: grarpamp

References:
- Re: https proxy [was polipo]
  - From: grarpamp
- Re: https proxy [was polipo]
  - From: Julie C
- Re: https proxy [was polipo]
  - From: morphium

Prev by Author: Re: Tor + SELinux sandbox = leak proof without VM overhead?
Next by Author: Re: How to Run High Capacity Tor Relays
Previous by thread: Re: https proxy [was polipo]
Next by thread: Re: https proxy [was polipo]
Index(es):
- Author
- Thread