[Security] TLS Certificates Verification

Johansson Olle E oej at edvina.net
Wed Aug 20 01:39:55 CDT 2008


19 aug 2008 kl. 21.02 skrev Justin Karneges:

> On Monday 18 August 2008 14:34:19 Eric Rescorla wrote:
>> I would encourage you to try to figure out what *style* of  
>> authentication
>> you want and what the constraints are, and then ask what protocol  
>> best
>> suits or can be made to best suit those needs.
>
> Eric has stressed this a few times now in the thread, and I wanted  
> to throw in
> a "me too" here.
>
> Take a look at OTR.  It is very popular, but this is most certainly  
> due to its
> hassle-free user experience, *not* its security properties.  Like  
> Esessions,
> OTR lacks scrutiny.  Yet, users enjoy OTR because they are not  
> bothered with
> public key maintenance, and any fingerprint checking can be easily  
> skipped.
> The protocol itself is unimportant.
>
Well, there's an "OTR proxy" that actually is designed to be an man-in- 
the-middle
and be the endpoint, so that a server administrator can log in clear  
text...

The users still feel warm and happy though.

/O ;-)


More information about the Security mailing list