Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Authenticating SSL certificates via QR codes?

Natanael natanael.l at
Sun Dec 29 11:28:05 PST 2013

Your certainly can, and the easiest way is with SSH, and then there are
other options like I2P with the minimum tunnel length, and there's

- Sent from my phone
Den 29 dec 2013 20:17 skrev "Uncle Zzzen" <unclezzzen at>:

> Sometimes we run small web servers on out notebook or phone. In most
> [maybe all] cases, there's a risk running them in cleartext http.
> The problem with SSL is that certificates build on domain names. The
> assumptions are:
>    1. The server has an IP number that is fixed, and globally-recognized
>    (i.e. not a local 192.168... one).
>    2. The clients can access the internet (and all those dns and ca
>    servers it needs in order to authenticate the servers). This is not always
>    true. Worse. It's not always desirable (e.g. piratebox).
> So we end up using a self-signed cert<>and we hope no one is MITMing us the
> *first* time we OK it [?].
> *Can't we do this via QR codes?*
> Maybe it's possible to have a browser plugin that adds a "verify via QR
> code" button to the SSL warning page.
> Users would get the QR code from a trusted *person* (e.g. the bartender)
> not a location (e.g. sticker on the server box that can be replaced by
> attackers).
> A social engineering (+ MITM) attack is still possible, but this is
> something that is easier to warn people against.
> So my quesions are
>    - Is this a good or a bad idea?
>    - How hard would it be to implement as addons to desktop/phone
>    browsers?
> Incentive: if you build it - I promise to do "IP block party": a piratebox
> clone with a built-in icecast server and DJ queue. You
> feel me now?
> Happy holidays,
> The Dod
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list