Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Authenticating SSL certificates via QR codes?

Uncle Zzzen unclezzzen at gmail.com
Sun Dec 29 11:16:50 PST 2013


Sometimes we run small web servers on out notebook or phone. In most [maybe
all] cases, there's a risk running them in cleartext http.

The problem with SSL is that certificates build on domain names. The
assumptions are:

   1. The server has an IP number that is fixed, and globally-recognized
   (i.e. not a local 192.168... one).
   2. The clients can access the internet (and all those dns and ca servers
   it needs in order to authenticate the servers). This is not always true.
   Worse. It's not always desirable (e.g. piratebox).

So we end up using a self-signed
cert<https://gist.github.com/thedod/8136275>and we hope no one is
MITMing us the
*first* time we OK it [?].

*Can't we do this via QR codes?*

Maybe it's possible to have a browser plugin that adds a "verify via QR
code" button to the SSL warning page.

Users would get the QR code from a trusted *person* (e.g. the bartender)
not a location (e.g. sticker on the server box that can be replaced by
attackers).

A social engineering (+ MITM) attack is still possible, but this is
something that is easier to warn people against.

So my quesions are

   - Is this a good or a bad idea?
   - How hard would it be to implement as addons to desktop/phone browsers?

Incentive: if you build it - I promise to do "IP block party": a piratebox
clone with a built-in icecast server and turntable.fm-ish DJ queue. You
feel me now?

Happy holidays,

The Dod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20131230/9185b4ed/attachment.html>


More information about the liberationtech mailing list