lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev FORCE_SSL_PROMPT:NO


From: Stef Caunter
Subject: Re: lynx-dev FORCE_SSL_PROMPT:NO
Date: Sun, 27 Jul 2003 00:00:20 -0400 (EDT)

Adding pointers to these utilities lets people begin
to make _their_ _own_ decisions about encryption and
how to assess trust as they try to use the major unix
clients securely.

More of this is needed in the documentation for clients
that use the openssl libraries.

I think a balance can be achieved in the presentation of the
information, to enable people to learn to usefully protect
themselves through these procedures, and to show there is
control through knowledge with an open source browser and
ssl library.


--Stef

On Sat, 26 Jul 2003, Doug Kaufman wrote:

> On Sat, 26 Jul 2003, David Woolley wrote:
>
> > > "echo QUIT | openssl s_client -connect whatever.invalid:443 > certfile"
> >
> > This is only useful if the site is local and connected over a physically
> > secure network.  Otherwise you need mechanisms, that go beyond simply
> > providing a link, to ensure that you are actually getting the certificate
> > from the real site, e.g. you might look for a key signature in printed
> > literature, or phone them up to verify the key signature.
>
> True, but the same considerations apply to any certificates that you
> use. What you need to do depends on how secure you want the connection
> to be. Should we put in a warning about getting a cacert bundle from the
> modssl distribution? Someone could certainly hack a mirror site and put
> in an altered ca-bundle.crt file.
>
> I guess it would be best to leave out information about s_client use,
> since if you know how to use it properly, you probably didn't need the
> pointer to it here.
>                         Doug
> --
> Doug Kaufman
> Internet: address@hidden
>
>
> ; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden
>

11:01PM  up 1 day, 11:43, 2 users, load averages: 0.19, 0.11, 0.09
OpenBSD 3.3 i386 Intel Pentium (P54C) ("GenuineIntel" 586-class)

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]