On 12/16/2013 05:43 PM, Martin Thomson wrote: > On 16 December 2013 04:02, Yoav Nir <synp71@live.com> wrote: >> But how can you get an authentic redirect, if hotmail.com does not have a >> CA-issued certificate? And if it does, why not use that rather than a >> self-signed certificate? > > That was somewhat the point of the comment I think. If you are going > to avoid getting a good certificate, then you also avoid all the > advantages, like resilience against active attacks like that. > > A self-signed certificate does allow for things that are TOFU-like, > but not perfectly. Things like CT help too. But afaik CT doesn't help with self-signed or equivalent TOFU things as it relies on the CAs to avoid the log being spammed. If there were a way to let web sites use CT for self-signed certs, that'd be interesting but I thought that the CT folks didn't like that idea. S. > Obviously, > http://hotmail.com should have a certificate that is signed by a CA > and HSTS turned on. (Sadly, in reality, it has the former; instead of > the latter, it provides a P3P header :( ) Those things cost. > > As an aside, I really would like people to recognize the non-monetary > costs here, which are far more relevant. > > >Received on Monday, 16 December 2013 18:03:09 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:39 UTC