Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yeah but SSH and RDP aren't used by grandmas that get their wallets emptied by scammers. Forced SSL everywhere is a good thing.

It's bad that it's run by corporations, but it's still a good thing overall. Maybe it should be run by different people(like IDK ICANN over something like the UN)



Again, what's the risk that a first time visit to a site is going to give you a fake certificate?

OTOH SSL has done nothing for preventing phishing, since no CAs actually verify anything beyond you owning the domain.


Well, any time anyone might be loading up a website for the first time in a coffee shop.

Also, “remember this cert forever” (cert pinning) has been an ops disaster for a lot of sites that have tried it. So in practice “the first time” might be more like every week or every month. What the risk that a coffee shop will not serve you a malicious cert once a week?

Also if they do it and you move back to your home connection… the site is broken there because now it’s returning a different one than was pinned (by the attacker!).


There are plenty of ways to improve security but maintain openness.

I think a good idea might be to have TOFU and self-signed only as a fallback. If there was no initial mismatch, and then upate cert periodically.


This amounts to a new "won't someone think of the children?"

All the little green lock icons in the world haven't put a dent in phishing or spoofing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: