Hacker News new | past | comments | ask | show | jobs | submit login

> I'm not sure what that has to do with my point.

The point of yours that I addressed was: "that VERIFYHOST=1 exists primarily to give people the feeling of having configured SSL/TLS well without making them actually do that."

Put simply: It does not exist primarily for that purpose.

I can't make it any clearer than that.




Oh yeah? Interesting. Tell me, what is the point of checking to see if a certificate has a common name field in it but then not checking to see if that common name is related to the connection bearing the certificate? Make it clear for me, will you?


That option exists to punish those evil people who don't read the documentation.

I'm kidding... I think.


Of course, who it really punishes is the user.


Some developers seem to believe that more options are always better, even if removing the bad options makes the software better and easier to use.


> Put simply: It does not exist primarily for that purpose.

You fail to provide any proof for that statement. The API doc merely states what the setting does, it says absolutely nothing about about its purpose, and neither do you.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: