Holy shit I caught 1

phobos at rootme.org phobos at rootme.org
Wed Aug 30 14:47:00 UTC 2006


On Wed, Aug 30, 2006 at 03:14:47PM +0200, fis at wiwi.hu-berlin.de wrote 3.5K bytes in 93 lines about:
: and there is another issue that hasn't been brought up: even if the
: certificate is valid and non-bogus, there may be an attack.

	One can purchase a completely valid cert for $25 and a phone
	number you provide as authentication.  Every browser will accept
	it without question.

	CAs don't do anywhere near the level of validation and
	authentication of the cert owner as users think they do.

	Self-signed certs can be more secure if you personally know the
	signer and can verify the various fingerprints out of band.
	Good luck trying to do this with any large company's cert.

-- 
Andrew



More information about the tor-talk mailing list