Search Mailing List Archives
[liberationtech] Authenticating SSL certificates via QR codes?
natanael.l at gmail.com
Sun Dec 29 11:28:05 PST 2013
Your certainly can, and the easiest way is with SSH, and then there are
other options like I2P with the minimum tunnel length, and there's
- Sent from my phone
Den 29 dec 2013 20:17 skrev "Uncle Zzzen" <unclezzzen at gmail.com>:
> Sometimes we run small web servers on out notebook or phone. In most
> [maybe all] cases, there's a risk running them in cleartext http.
> The problem with SSL is that certificates build on domain names. The
> assumptions are:
> 1. The server has an IP number that is fixed, and globally-recognized
> (i.e. not a local 192.168... one).
> 2. The clients can access the internet (and all those dns and ca
> servers it needs in order to authenticate the servers). This is not always
> true. Worse. It's not always desirable (e.g. piratebox).
> So we end up using a self-signed cert<https://gist.github.com/thedod/8136275>and we hope no one is MITMing us the
> *first* time we OK it [?].
> *Can't we do this via QR codes?*
> Maybe it's possible to have a browser plugin that adds a "verify via QR
> code" button to the SSL warning page.
> Users would get the QR code from a trusted *person* (e.g. the bartender)
> not a location (e.g. sticker on the server box that can be replaced by
> A social engineering (+ MITM) attack is still possible, but this is
> something that is easier to warn people against.
> So my quesions are
> - Is this a good or a bad idea?
> - How hard would it be to implement as addons to desktop/phone
> Incentive: if you build it - I promise to do "IP block party": a piratebox
> clone with a built-in icecast server and turntable.fm-ish DJ queue. You
> feel me now?
> Happy holidays,
> The Dod
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech