On 3/1/2017 1:34 AM, Mateusz Viste wrote:
It would seem you are contradicting yourself. If SSL is not able to guarantee "who am I talking to", then the whole encryption point is moot. Doing a MITM on SSL is easy if you disregard the CA part of the scheme - myself, I did it many times (for good reasons!). It's as trivial as setting up a SSL proxy with a fake CA. Yes, encryption is there, between the client and my proxy. Then, it may also be present between my proxy and the destination server, but on the proxy itself I can comfortably dump your credit card number. Shortly said, if we assume that the entire CA business is worthless, then so is SSL.
um.... No I don't think I did say anything contradictory - at least not with respect to your point above, which by the way, Mateusz, is spot on. I just didn't come right out and say what you just did :)
And I concur with what Kim said too here: <snip> Funny you should say that - I've always held the opinion that SSL/TLS is completely worthless the way it's currently implemented. Just think about it - what if you had to prove your identity to some foreign company and pay a yearly payment just to set up an SSH server? </snip>I think my point was that the extortion scheme, as a result of LE, is crumbling, because they never assured the user of anything really substantial in the first place and were profiting on FUD (FUD, as coined by Dr. Amdahl).
Kindest regards, Bradley --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus _______________________________________________ Gopher-Project mailing list Gopher-Project@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/gopher-project