Reply to post: Beware of the Man in the Middle (Kingdom)

Mozilla piles on China's SSL cert overlord: We don't trust you either

James Ashton

Beware of the Man in the Middle (Kingdom)

I'd much rather have an adhoc system of someone publishing what hash THEY see for Facebook, and what I see for Facebook and then if they match I have a semblance of security.

How are these published hashes going to reach you? Over the Internet? So the man in the middle is just going to intercept your request for these hashes and replace them with hashes for their bogus certs. In China in particular, the government controls your Internet connexion so this would be trivial for them. You could try downloading the hashes over SSL but, whoops, chicken meets egg. What you're suggesting is just an alternative or secondary system of trust that's really no different from what we have already.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019