please move this stuff into DNS

Posted Dec 25, 2008 20:15 UTC (Thu) by quotemstr (subscriber, #45331)
In reply to: please move this stuff into DNS by TRS-80
Parent article: SSL man-in-the-middle attacks

Er, if I'm reading this right, it's just an HTTP-authentication-style password exchange system, built out of TLS primitives.

For vain reasons, it'll never be used: web designers like being able to specify how their login boxes look.

please move this stuff into DNS

Posted Dec 26, 2008 2:23 UTC (Fri) by TRS-80 (guest, #1804) [Link] (3 responses)

Well, it's not just applicable to HTTP - you can use it for IMAP and SMTP authentication too. How many people use a self-signed cert for those, and are going to be bitten when Thunderbird 3 comes out with the same anti-self-signed UI as Firefox?

Anyway, for web designers HTML 5 offers a way to have HTML login forms for HTTP auth.

please move this stuff into DNS

Posted Dec 26, 2008 3:18 UTC (Fri) by drag (guest, #31333) [Link] (2 responses)

You know that creating your own signing certificate is not significantly more difficult then making a self-signed... I mean I started off with self-signed for mucking around with doing things, but figured that since I am worrying about encryption anyways I might as well do it myself.

It just strikes me as a bit lazy. Not a lot lazy as the SSL/TLS stuff is difficult to get right. But for as long as this stuff has been out it should be fairly simple to do.

please move this stuff into DNS

Posted Dec 26, 2008 3:36 UTC (Fri) by TRS-80 (guest, #1804) [Link] (1 responses)

The point isn't how easy/lazy it is, the point is to avoiding have to trust (now apparently) untrustworthy CAs. Maintaining your own CA (is that what you mean by signing certificate?) might be OK if you're the only user, but asking other people to install your CA is a right pain, and then you have to worry about keeping the CA secure, plus all the regular PKIX hassles of updating certs etc.

Security problems with CAs

Posted Dec 26, 2008 13:21 UTC (Fri) by vonbrand (subscriber, #4458) [Link]

Sad fact is that really checking is expensive, and CAs aren't in the business of "wasting" money to then turn a paying customer away... plus certificates are the same whether they are meant to protect (probably not very interesting) email from prying eyes, commercial transactions in the range of a few tens of dollars, or multi-million dollar movements. The association of the "personal" certificate with all sorts of identifying data makes the planned use of those a privacy nightmare. The whole concept is deeply flawed. For an in-depth discussion of the current issues, look at Peter Gutmann's PKI tutorial (a large PDF presentation).