Re: [gopher] Tor for Gopher
On 3/1/2017 1:34 AM, Mateusz Viste wrote:
It would seem you are contradicting yourself. If SSL is not able to
guarantee "who am I talking to", then the whole encryption point is moot.
Doing a MITM on SSL is easy if you disregard the CA part of the scheme -
myself, I did it many times (for good reasons!). It's as trivial as
setting up a SSL proxy with a fake CA. Yes, encryption is there, between
the client and my proxy. Then, it may also be present between my proxy
and the destination server, but on the proxy itself I can comfortably
dump your credit card number.
Shortly said, if we assume that the entire CA business is worthless, then
so is SSL.
um.... No I don't think I did say anything contradictory - at least not
with respect to your point above, which by the way, Mateusz, is spot on.
I just didn't come right out and say what you just did :)
And I concur with what Kim said too here:
Funny you should say that - I've always held the opinion that SSL/TLS is completely worthless the way it's currently implemented. Just think about it - what if you had to prove your identity to some foreign company and pay a yearly payment just to set up an SSH server?
I think my point was that the extortion scheme, as a result of LE, is
crumbling, because they never assured the user of anything really
substantial in the first place and were profiting on FUD (FUD, as coined
by Dr. Amdahl).
This email has been checked for viruses by Avast antivirus software.
Gopher-Project mailing list