Andy Parkins [ARCHIVE] on Nostr: 📅 Original date posted:2011-12-19 🗒️ Summary of this message: HTTPS issues ...
📅 Original date posted:2011-12-19
🗒️ Summary of this message: HTTPS issues are social, not technical, with multiple CAs being tricked or strong-armed into issuing fake certificates. Bitcoin cannot solve this problem.
📝 Original message:On 2011 December 19 Monday, Jorge Timón wrote:
> Ok, so HTTP is not an option unless it shows a huge warning. I don't
> know the HTTPS possible attack, but maybe it needs a warning message
> too, from what you people are saying. Although using namecoin to
The problems with HTTPS have been social rather than technical. Multiple CAs
have been strong-armed by governments or tricked into issuing fake
certificates by scammers. There is no technical measure around that. By
using the CA certificate we are saying to the system "here is someone I trust
to issue a certificate". So far, with a large number of CAs, that trust is
misplaced.
I'm of the opinion though that this problem is outside the remit of bitcoin to
solve.
Perhaps we should be more strict about which CA certificates are trusted by
the bitcoin client: say restrict it to those who have demonstrably good
practices for verifying identity; rather than the ridiculous amount of trust
that comes pre-installed for me in my browser.
Andy
--
Dr Andy Parkins
andyparkins at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20111219/b557a325/attachment.sig>
🗒️ Summary of this message: HTTPS issues are social, not technical, with multiple CAs being tricked or strong-armed into issuing fake certificates. Bitcoin cannot solve this problem.
📝 Original message:On 2011 December 19 Monday, Jorge Timón wrote:
> Ok, so HTTP is not an option unless it shows a huge warning. I don't
> know the HTTPS possible attack, but maybe it needs a warning message
> too, from what you people are saying. Although using namecoin to
The problems with HTTPS have been social rather than technical. Multiple CAs
have been strong-armed by governments or tricked into issuing fake
certificates by scammers. There is no technical measure around that. By
using the CA certificate we are saying to the system "here is someone I trust
to issue a certificate". So far, with a large number of CAs, that trust is
misplaced.
I'm of the opinion though that this problem is outside the remit of bitcoin to
solve.
Perhaps we should be more strict about which CA certificates are trusted by
the bitcoin client: say restrict it to those who have demonstrably good
practices for verifying identity; rather than the ridiculous amount of trust
that comes pre-installed for me in my browser.
Andy
--
Dr Andy Parkins
andyparkins at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20111219/b557a325/attachment.sig>