Hacker News new | past | comments | ask | show | jobs | submit login

No, I'm not okay with it, which is why I'm so against the near ubiquity of http which suffers from this exact problem on most mobile networks and many free wifi networks. The things you describe are not only possible but widespread.

By requiring a perfect solution to auth and ident (rather than iterative improvements) you are part of the problem.

Unidentified but authenticated connections should not be penalised compared to unauthenticated and unidentified connections. If someone MITMs a TLS connection with a forged certificate they can indeed do all the things that are trivial already with bog-standard http. If a client records TLS keys of sites they've already visited there is partial mitigation of this attack.

This doesn't have to have any effect of the CA scam business model, although obviously I would be in favour of a combination of key pinning and some sort of hand-wavey consensus determination for initial pins of arbitrary sites, but the fact that people are being forced to pay in order than browsers won't prefer plain-text over end-to-end encryption is absurd.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: