[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: https proxy [was polipo]

On Mon, Aug 23, 2010 at 8:58 AM, morphium <morphium@xxxxxxxxxxxxx> wrote:
>> I can see it could provide some
>> protection against ssl/ssh mitm attacks.
> No. Why do you think it could?

- because by default applications trust either a large, promiscuous
set of certificate authorities, or even worse, use the operating
system supplied list of trusted authorities.

- because by default applications do not or cannot utilize mitigating
measures like perspective based certificate retrieval and consensus
from varying endpoints or sources.

- because by default applications may not support robust cipher suites
or handle some aspects of protocol or session negotiation poorly /
incorrectly / insecurely.

- because by default applications don't support a persistent, mobile
store of trusted server certificates built up over time, which a proxy
could provide (Tahoe LAFS / encrypted $cloud storage for your
certificate store available wherever you need it.)

- lots of additional reasons...
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/