[Freedombox-discuss] :Configuration: Plug Server Test Publically Available
nick.m.daly at gmail.com
Sun Nov 6 19:08:06 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hi Bjarni, thanks for the reply!
Bjarni Rúnar Einarsson <bre-k9pR3Njzdnfk1uMJSBkQmQ at public.gmane.org>
> Hey Nick,
> Glad it's working for you! :-) I wanted to respond to a couple of
> comments you made inline:
I must've been really tired when I wrote this, as I didn't really say
what I meant.
> On Sat, Nov 5, 2011 at 6:26 AM, Nick Daly <nick.m.daly-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
>> It weirds me out that I need to *MITM myself* so the FBX can be
I was actually combining my concerns about MITM problems and my concerns
about needing a port-forwarding service, above. The port forwarding
service adds another service that (if taken offline) would render my
site unreachable. However, the system already has so many moving parts
that it's a very minor concern. Anyway, my connection to the outside
world wouldn't work without it :)
>> but I'm not too worried that the Icelandic government's
>> going to fake an SSL certificate. Israel might, though, so it might
>> be good to move PageKite to a (root-)CA based in their own country.
> I think this is a misunderstanding. Sadly, anyone who can sign
> certificates can probably MITM us - it doesn't matter which root signs
> our cert, the browser will accept any valid signature from anywhere.
> I don't particularly trust Israel, but as I understand things, I'm
> afraid it doesn't really matter much. The only way I know to manage
> this risk is to use the Firefox and the Certificate Patrol plugin, or
> self signed certs (see below) and a security exception in the browser.
> PageKite's wildcard SSL service does not pretend to be a perfect
> solution and we hope our users understand the limitations of what we
> offer - but it is better than nothing. :-)
No disrespect to either of the above governments intended, I was
ironically referring to the fact that there's no way I can know who has
what interest in faking which certificates. After reading "Certified
Lies" (and installing Cert Patrol ) I worry less about the majority
of SSL MITM attacks and primarily about country-specific attacks. I
actually forgot SSL's issues were bigger than country-specific concerns,
since I'm less vulnerable to those types of attacks.
This is why we need a globally-distributed, self-authenticating
namespace. Though, as John Gilmore mentioned, that's a decades long
goal; it's not a current priority.
An interesting fact about the "Certified Lies" paper: there are at least
two different versions of this paper currently available. I don't know
why or when the paper was revised, neither version carries any dating or
version information. You can tell which version of the paper you're
reading by looking at the Abstract.
Writing my GPG key fingerprint at the end of a self-authenticating and
self-identifying message seems redundant.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Freedombox-discuss