User: Password:
|
|
Subscribe / Log in / New account

Certificates and "authorities"

Certificates and "authorities"

Posted Sep 8, 2011 9:25 UTC (Thu) by nmav (subscriber, #34036)
In reply to: Certificates and "authorities" by gmaxwell
Parent article: Certificates and "authorities"

This is of course only your opinion. If you can tolerate encryption without authentication, it is good for you, but no good for me. I don't care if I talk to someone secretly so no-one hears if I don't know whom do I talk to. The examples of failures you mention are really because of you reluctance to use the provided interfaces. Security -online or offline- requires to follow some protocols. If you don't want to follow them, don't expect security.


(Log in to post comments)

Certificates and "authorities"

Posted Sep 11, 2011 1:29 UTC (Sun) by foom (subscriber, #14868) [Link]

> If you can tolerate encryption without authentication, it is good for you, but no good for me.

You're missing the point there. Which is better: no encryption whatsoever, or encryption without assurance of who you're talking to? The second is plainly better, as it defeats at least *some* types of attackers (those who have intercepted, but do not have the ability to modify your traffic). By now, all web ought to at least be at the "encryption without authentication" level.

Clearly, authentication of who you're talking to is an important feature to have, but requiring that be present to enable the use of encryption at all was a colossal blunder in the development of HTTPS.

Certificates and "authorities"

Posted Sep 16, 2011 17:09 UTC (Fri) by bjartur (guest, #67801) [Link]

By now, all web ought to at least be at the "encryption without authentication" level.

Which, as HSTS, provides adequate data security over end-to-end TCP connections on links that attackers can not inject malicious packets to. This does nothing to protect you against the most dangerous villains: MTAs, ISPs, proxies and the like.

Certificates and "authorities"

Posted Sep 17, 2011 2:26 UTC (Sat) by njs (guest, #40338) [Link]

The NSA isn't a dangerous villain?

Encryption without authentication forces any potential broad-scale sniffers to take a more active role, which may be politically problematic and is certainly much more expensive. (Decrypting/re-encrypting a few million TCP flows on the fly is not cheap or easy.)

Certificates and "authorities"

Posted Oct 18, 2011 20:46 UTC (Tue) by rich0 (guest, #55509) [Link]

Considering how prevalent cookie theft is over unsecured WiFi I'd say that there is a huge case for encrypted communications even if they aren't authenticated.

Sure, there is always the risk of MITM but at least you force the attacker to make an active attack, which then creates the opportunity to detect the hacker. Just have a few police stings in campus coffee shops or whatever and I bet you'd have some impact on the practice.

I'm amazed sometimes at the XOR approach we take towards security - either very secure but lots of cost/hurdles, or absolutely and completely insecure. A better approach is to provide a tiered system where everybody can work out how secure is secure enough for a particular application. Use DNSSEC and stick the required security level (as well as certificates) in the DNS record for a site and you have a standard way of ensuring the client and server are on the same page where security is important.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds