Hacker News new | past | comments | ask | show | jobs | submit login

There was a great discussion about this a month or so ago (http://news.ycombinator.com/item?id=2376431). I'd highly encourage you to read the comments that were made.

As Lanzaa pointed out here, encryption without identity validation is worthless. If anyone can MITM your connection without you knowing about it, your encryption isn't doing you any good. That being said, there is certainly value to the "SSH model", where you verify the destination's fingerprint the first time you connect and any time it changes. That at least gives you the opportunity to know if someone is attacking you.




Why can't encryption still be useful if you (not your browser, you personally) trust what's in your URL bar?


I'd argue that in order to trust what's in your address bar, you have to have "verification": if you're not sure who's on the other end, you can't trust the address bar. Whether that knowledge comes from a PKI system like browsers use now or an SSH-style system is a separate issue.


Well, you will have to look at the server's key fingerprint, looking at the URL will not be enough.

If you're being MITM attacked, you will still see trusted.example.com in URL bar.


I think you're talking more about someone hijacking a nameserver in that case. The vast majority of MitM attacks are on open networks between the client and the ISP, are they not?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: