Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Isn't this also accomplished via the SSL Observatory functionality in HTTPS-Everywhere?


AFAIK SSL Observatory only sends the certs you receive to a EFF server to be included in a DB, it doesn't protects you against MITM's.

A great add-on for Firefox that helps you to detect any possible MITM is Certificate Patrol (https://addons.mozilla.org/en-US/firefox/addon/certificate-p...), it may be a bit annoying for some people though.

X.509 is broken, it only protects you against casual script kiddies on Starbucks. I know about people who deleted the CA directory from their systems, in my case I prefer to use Certificate Patrol (both in Firefox and Thunderbird) or use self-signed certs and then pgp sign the fingerprint.


>I know about people who deleted the CA directory from their systems, in my case I prefer to use Certificate Patrol (both in Firefox and Thunderbird) or use self-signed certs and then pgp sign the fingerprint.

How does the latter work? Is that possible with Firefox?


Yeah sure, if your system doesn't have any CA cert installed you will be asked to accepted every new certificate you receive when you start a TLS connection, and you can permanently accept it. Would be pretty manual, since you also need to ask the issuer to digitally sign the fingerprint and then check it...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: