Become a fan of Slashdot on Facebook


Forgot your password?

Comment Re: "Inadvertently"? (Score 1) 102

Yes, but what makes this box work is a phony _CA_. If I can verify the CA with a world-verifiable blockchain, then can't I trust the cert? Or at least make a smart decision about doing so?

Seems the size of the CA problem is orders of magnitude smaller.

What I want is to sniff the phony CA(s) and distrust all certs from it.

Comment Re: "Inadvertently"? (Score 1) 102

Yes, but the exposure here is in no way related to the banks choice of a cert provider. The bank doesn't enter into it, except as a place to rob.

Because top-level CAs CAN issue more CAs, some WILL: to governments, and accidentally or on purpose to freelance thugs. The thug sets up an interception box with said CA, and starts DNS poisoning attacks: he's got you.

Would prefer a system where issuance of a CA is a matter of real-time verifiable record, as would be each CA and cert on my machine. The browser could check an immutable public list in real time: blockchain might help here. Who says this CA is real, instead of on a machine in the basement? Everyone. Or no one. The system should be built so it CAN'T work without this record.


Comment "Inadvertently"? (Score 2) 102

How is this inadvertent?

These tools have been out there for years.

The user of the inspection box is INTENTIONALLY looking at my encrypted data, which could include PHI, PCI, or just plain shit I don't want them to see. My security has already been breached.

That these boxes are even possible to create and deploy (i.e. that someone CAN grant a CA for the box (not even that someone will do so)) shows the untenability of the entire "web of trust" for certs that is supposed to make you certain your data isn't being hijacked over TLS.

As long as this is out there, one can have _zero_ confidence any TLS-encrypted session isn't being hijacked.

I hope there's a rebuild of encrypted transport, and that next time, they don't make certificates so horsey. No, I don't know how to do that perfectly. Seems there's no way to do it peer-to-peer if I have to go down to every bank or business with a printout of their cert and match it up.

Maybe there's something blockchain technology could offer to make certs truly verifiable...

Comment Re: YES (Score 1) 313

Believe it. At least, that the scam worked (though I don't know the guy being discussed here).

I saw the same method, published in a counter-culture magazine (Mother Earth News? I forget...) in the late '70s. The details are familiar to me, and I've known all my adult life that airlines double-book as a result.

The same mag also got my late-teens self off the couch to collect high-tread used tires from gas stations (back when gas stations had mechanics, kids...), load 'em in Mom's station wagon and sell 'em to the tire store in the run down part of town, where they got sold on to folks with not much money.

Useful publication, gave me pocket money all the time.

Slashdot Top Deals

Whenever people agree with me, I always think I must be wrong. - Oscar Wilde