Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It would have to be some kind of web of trust thing. But no, I don't have any specific suggestions to that effect (which is why I believe that HTTP should remain an option).


What about self-signed certificates? That's still better than plain HTTP.


What benefits does a self-signed certificate give over plain HTTP? They don't prevent MITM injection, which is the thing you raised in other thread.


This assumes that passive attacks and active attacks are the same.

Self-signed doesn’t protect against active MITM, as you note.

It does protect against passive attacks, in providing privacy against eavesdropping and resistance to packet/content injection on the LAN.


The visitor can import the self-signed certificate, so that it becomes trusted and after that MITM won't be possible without certificate errors.

However, this won't help if the certificate is already forged the first time the visitor connects to the site.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: