[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: ssl auth failure gui: does "continue" do what I think it does?
From: Allan Sandfeld Jensen <kde () carewolf ! com>
Date: 2009-06-09 21:33:57
Message-ID: 200906092333.57536.kde () carewolf ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Tuesday 09 June 2009, Thiago Macieira wrote:
> The point is that, without authenticating the remote end, you open
> yourself to man-in-the-middle attacks, which means you achieved no real
> security.
>
To execute a man-in-the-middle attack you have to be a man in the middle. Very
few people have that opportunity therefore encryption without authentication
is usefull for privacy. Some other attacks can misguide the traffic and
accieve the same result, but not without compromising another level of
security.
Second. Since a key is stored and rechecked later, there _is_ protection
against man-in-the-middle attacks. The attacker has to be pervasive and have
the attacked installed himself from the very first time you encounter this
server for the attack to be effective. This is similar to the protection
granted by SSH.
No, it won't protect you from the NSA or even the ISP spying on you, but there
is a time and place for paranoia. I don't think this is it.
`Allan
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" \
"http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style \
type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Monospace'; \
font-size:10pt; font-weight:400; font-style:normal;">On Tuesday 09 June 2009, Thiago Macieira wrote:<br> \
> The point is that, without authenticating the remote end, you open<br> > yourself to \
man-in-the-middle attacks, which means you achieved no real<br> > security.<br>
><br>
To execute a man-in-the-middle attack you have to be a man in the middle. Very few people have that \
opportunity therefore encryption without authentication is usefull for privacy. Some other attacks can \
misguide the traffic and accieve the same result, but not without compromising another level of \
security.<br> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; \
margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Second. Since a key is \
stored and rechecked later, there _is_ protection against man-in-the-middle attacks. The attacker has to \
be pervasive and have the attacked installed himself from the very first time you encounter this server \
for the attack to be effective. This is similar to the protection granted by SSH.<br> <p \
style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>No, it won't protect you from the NSA or \
even the ISP spying on you, but there is a time and place for paranoia. I don't think this is it.<br> <p \
style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>`Allan<br> <p \
style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; \
-qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p><p style="-qt-paragraph-type:empty; \
margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; \
text-indent:0px; -qt-user-state:0;"><br></p></body></html>
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic