Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I didnt understand the point he was trying to make about trusting a public key from a remote server. At somepoint you need to trust some third party public key if you want to send them encrypted data and verifying ownership is kinda left to user. Hell even signal does that, who is really checking their contact security numbers to make sure the signal server didnt send you some bullshit...


> didnt understand the point he was trying to make about trusting a public key from a remote server.

What stops the server from swapping SyttenPK for NSA PK?

The operating word of the quote was "just".

> Hell even signal does that, who is really checking their contact security numbers to make sure the signal server didnt send you some bullshit...

Their latest code commits include key transparency, which is one good way to address this problem.


I do get that, but I am not so sure what the real solution is. The industry standard still is some form of "the server sends me a key and I trust it".

Key transparency is not really solving anything for the average person.


The problem isn't "the server sends me a public key".

The problem is there's no way to know if the server is lying.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: