Search Mailing List Archives
[liberationtech] Authenticating SSL certificates via QR codes?
unclezzzen at gmail.com
Sun Dec 29 11:16:50 PST 2013
Sometimes we run small web servers on out notebook or phone. In most [maybe
all] cases, there's a risk running them in cleartext http.
The problem with SSL is that certificates build on domain names. The
1. The server has an IP number that is fixed, and globally-recognized
(i.e. not a local 192.168... one).
2. The clients can access the internet (and all those dns and ca servers
it needs in order to authenticate the servers). This is not always true.
Worse. It's not always desirable (e.g. piratebox).
So we end up using a self-signed
cert<https://gist.github.com/thedod/8136275>and we hope no one is
MITMing us the
*first* time we OK it [?].
*Can't we do this via QR codes?*
Maybe it's possible to have a browser plugin that adds a "verify via QR
code" button to the SSL warning page.
Users would get the QR code from a trusted *person* (e.g. the bartender)
not a location (e.g. sticker on the server box that can be replaced by
A social engineering (+ MITM) attack is still possible, but this is
something that is easier to warn people against.
So my quesions are
- Is this a good or a bad idea?
- How hard would it be to implement as addons to desktop/phone browsers?
Incentive: if you build it - I promise to do "IP block party": a piratebox
clone with a built-in icecast server and turntable.fm-ish DJ queue. You
feel me now?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech