Re: SSL problems - lynx-dev lynx2.8.5dev.9

[Clemens Fischer]

David Woolley <address@hidden>:

>> Is the average lynx user gong to need to know all of this esoteric stuff
>> to access SSL sites?
>
> If you are referring to my article, this is one of the great weaknesses
> of SSL on the web; people don't understand it and therefore are not
> getting the level of security that they think they are getting.

correct.  and i think understanding a "trustmodel" is not esoteric.
SSLs trustmodel has root-certificates at the top, which are used to
sign certificates one level down, and those are used to sign
certificates again one level down, until the one server you connect to
presents his certificate.  lynx can check the signatures on this
particular certificate to make sure there's a complete chain from the
roots down.

there are other such models, eg. the "web of trust" like implemented
in PGP.  there users can specify themselves who they trust to what
extent, and the web-of-trust has no central authority.

> Really, with security, a little knowledge is a dangerous thing, and I
> suspect that many people, if they really understood the trust structures
> associated with SSL, would be rather careful about checking the details
> of certificates.

nothing to add here :)

> One major company even issued a Microsoft certificate to a company other
> than Microsoft, and there had to be a Windows critical update to block
> that certificate.

and i bet most m$ products installed would still trust that bogus
certificate!

clemens

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden