Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Authenticating SSL certificates via QR codes?

Natanael natanael.l at gmail.com
Sun Dec 29 11:28:05 PST 2013


Your certainly can, and the easiest way is with SSH, and then there are
other options like I2P with the minimum tunnel length, and there's
pagekite.

- Sent from my phone
Den 29 dec 2013 20:17 skrev "Uncle Zzzen" <unclezzzen at gmail.com>:

> Sometimes we run small web servers on out notebook or phone. In most
> [maybe all] cases, there's a risk running them in cleartext http.
>
> The problem with SSL is that certificates build on domain names. The
> assumptions are:
>
>    1. The server has an IP number that is fixed, and globally-recognized
>    (i.e. not a local 192.168... one).
>    2. The clients can access the internet (and all those dns and ca
>    servers it needs in order to authenticate the servers). This is not always
>    true. Worse. It's not always desirable (e.g. piratebox).
>
> So we end up using a self-signed cert<https://gist.github.com/thedod/8136275>and we hope no one is MITMing us the
> *first* time we OK it [?].
>
> *Can't we do this via QR codes?*
>
> Maybe it's possible to have a browser plugin that adds a "verify via QR
> code" button to the SSL warning page.
>
> Users would get the QR code from a trusted *person* (e.g. the bartender)
> not a location (e.g. sticker on the server box that can be replaced by
> attackers).
>
> A social engineering (+ MITM) attack is still possible, but this is
> something that is easier to warn people against.
>
> So my quesions are
>
>    - Is this a good or a bad idea?
>    - How hard would it be to implement as addons to desktop/phone
>    browsers?
>
> Incentive: if you build it - I promise to do "IP block party": a piratebox
> clone with a built-in icecast server and turntable.fm-ish DJ queue. You
> feel me now?
>
> Happy holidays,
>
> The Dod
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20131229/52a6e070/attachment.html>


More information about the liberationtech mailing list