| |||||||||||||
Certificates and "authorities"Certificates and "authorities"Posted Sep 16, 2011 17:09 UTC (Fri) by bjartur (guest, #67801)In reply to: Certificates and "authorities" by foom Parent article: Certificates and "authorities"
Which, as HSTS, provides adequate data security over end-to-end TCP connections on links that attackers can not inject malicious packets to. This does nothing to protect you against the most dangerous villains: MTAs, ISPs, proxies and the like.
(Log in to post comments)
Certificates and "authorities" Posted Sep 17, 2011 2:26 UTC (Sat) by njs (guest, #40338) [Link]
The NSA isn't a dangerous villain?
Encryption without authentication forces any potential broad-scale sniffers to take a more active role, which may be politically problematic and is certainly much more expensive. (Decrypting/re-encrypting a few million TCP flows on the fly is not cheap or easy.)
Certificates and "authorities" Posted Oct 18, 2011 20:46 UTC (Tue) by rich0 (guest, #55509) [Link]
Considering how prevalent cookie theft is over unsecured WiFi I'd say that there is a huge case for encrypted communications even if they aren't authenticated.
Sure, there is always the risk of MITM but at least you force the attacker to make an active attack, which then creates the opportunity to detect the hacker. Just have a few police stings in campus coffee shops or whatever and I bet you'd have some impact on the practice.
I'm amazed sometimes at the XOR approach we take towards security - either very secure but lots of cost/hurdles, or absolutely and completely insecure. A better approach is to provide a tiered system where everybody can work out how secure is secure enough for a particular application. Use DNSSEC and stick the required security level (as well as certificates) in the DNS record for a site and you have a standard way of ensuring the client and server are on the same page where security is important.
|
|||||||||||||