Hi all,
I typically lurk, but this is one of my hot buttons:
I don't want to beg the question, BUT:
Why are we encrypting data that is published publicly?
And if we're encrypting it for privacy why are we not worried
about the keys being directly tied to us thus removing all
privacy?
And since SSL was broken decades ago and replaced with various
versions and key sizes.
And since MITM attacks for SSL/TLS are well known, why bother
using it at all?
Has everyone forgotten that a CA can spoof/validate any
certificate that the 5 eyes wish?
And if we are going to encrypt for some yet unknown reason that I
can't quite fathom,
Then,
Why don't we just use another port? if it listens on 70 it's
open. If it listens on 743 (or whatever)
then it's encrypted like http and httpd (80/443)
I'm a big proponent of using the network layer and keeping
encryption in it's own layer.
Steve
MtxDev
Am 2021-12-06 17:57, schrieb Mateusz Viste:
On 06/12/2021 16:48, wzk@quietsche-entchen.de wrote:of course the reason for TLS is (to state the obvious) that someone in between might read or even modify the data the client gets. If we assume a man-in-the-middle then the TLS option would be taken out of the CAPS response, which is why this may not work reliably.
If you assume a MITM, then the attacker can just as easily answer in place of the target server and cut out whatever he wants (incl. TLS support in the first place, or replace it with his own TLS certificate). In such context, the "opportunistic TLS" scenario doesn't make sense anyway.
Mateusz
Now that I think about it, I see you're right. Thank you.
Regards,
Wolfgang