Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> didnt understand the point he was trying to make about trusting a public key from a remote server.

What stops the server from swapping SyttenPK for NSA PK?

The operating word of the quote was "just".

> Hell even signal does that, who is really checking their contact security numbers to make sure the signal server didnt send you some bullshit...

Their latest code commits include key transparency, which is one good way to address this problem.



I do get that, but I am not so sure what the real solution is. The industry standard still is some form of "the server sends me a key and I trust it".

Key transparency is not really solving anything for the average person.


The problem isn't "the server sends me a public key".

The problem is there's no way to know if the server is lying.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: