Roy Badami [ARCHIVE] on Nostr: 📅 Original date posted:2013-03-03 📝 Original message:> (The reason for this is ...
📅 Original date posted:2013-03-03
📝 Original message:> (The reason for this is that (many? most? all?) CAs verify authority
> by having you place a file at some HTTP path on the domain in
> question.
IME most CAs verify by emailing hostmaster/webaster@ or one of the
contacts in the WHOIS. But you're right, still subject to a MitM.
Still better than nothing though.
I would have suggested an EV cert, but that's more expensive (and
still far from foolproof)
> Basically only helps with the evil hotspot/tor_exit problem.
Also helps protect against DNS spoofing attacks, but yes, you're
right. I should be checking GPG sigs but I'm lazy :-)
roy
📝 Original message:> (The reason for this is that (many? most? all?) CAs verify authority
> by having you place a file at some HTTP path on the domain in
> question.
IME most CAs verify by emailing hostmaster/webaster@ or one of the
contacts in the WHOIS. But you're right, still subject to a MitM.
Still better than nothing though.
I would have suggested an EV cert, but that's more expensive (and
still far from foolproof)
> Basically only helps with the evil hotspot/tor_exit problem.
Also helps protect against DNS spoofing attacks, but yes, you're
right. I should be checking GPG sigs but I'm lazy :-)
roy