That has nothing to do with the server at screen.palegray.net, which is a Debian VM running nginx to serve screen capture images. You're probably using Internet Explorer, and you're probably being prompted for whether or not you want to download the image file. The only thing being served from that link is in fact a PNG image (transcript from a simple curl test in a terminal on a Mac).

Calling someone an arsehole is pretty dumb when the "problem" at hand isn't even a problem, and instead arises from ignorance on your part.

Avoid what? A PNG file?

Also, anybody who doesn't get the irony of what's shown in that screen capture (in the context of this story) didn't look at it long enough.

You are the worst brand of stupid, the kind who is more interested in preserving his own ego than dealing with problems effectively. If you'd bother to spend ten seconds thinking about the core problem here, you'd realize that people have far more to worry about at the network edges of their destinations than they realize. Have you considered the possibility that those edges might be inclined to probe inward and check the trust chain associated with the destination, and maybe just maybe take selective action based on that information? Do you have any idea what sort of ramifications that scenario holds aside from dirt simple logging of the packets in transit, things like modification of the payload for whatever purposes the attacker desires?

I'm sick of being nice about this. Just shut the fuck up.

You stated, and missed the point of, the entire problem here, namely initial connection verification. OpenSSH should be treated in exactly the same manner, as it relies upon PKI in the same manner. Out of band fingerprint verification is essential to ensuring the integrity of such communications, which I'll reiterate you utterly failed to mention in your post while you were busy espousing the virtues of self-signed certs without any further guidance on the concerns associated with them. I verify every single key I accept via highly trusted out of band means. I'm fairly certain if I asked you how you'd manage to perform such verification, you'd spend fifteen minutes madly Googling answers and likely winding up parroting various one-liners you found on half-baked newbie forums (with self-signed certs, natually) to attempt to prove your expertise.

To address your second point, I'm not saying the feds haven't compromised large scale commercial CAs through friendly visits, but that's really not at all the most efficient means of intercepting and decrypting comms at wire speed. I say this as someone who could build you the infrastructure required to do that.

In short, stop talking and start learning. Shut your mouth for a few years to avoid dispensing horribly misleading "advice" to others in the general community, and have a nice day.

No, a self-signed certificate is not sufficient for what you're describing, or anything requiring actual security, unless you've set up your own CA in advance and added the corresponding root CA cert to your local PKI store (in the case that you're the operator of the forum), or added the root CA cert the forum is using (if any formalized CA infrastructure is being used at all on their end, given it's a self-signed cert) via an out-of-band source that you have reason to trust, or have a trustworthy out-of-band means of verifying the digital fingerprint of the certificate you're being presented with in the first place. The fundamental issue is simply that otherwise, the first time you visit the hypothetical forum site to register an account, you have no means of determining whether you're speaking directly to the forum server or a man in the middle. Men in the middle can be your ISP, the feds, whoever, and can have shall we say rather persistent presences in Internet architecture.

Please, please, please stop spreading misinformation like this. Please educate yourself, starting with Applied Cryptography. If you're not willing to speak intelligently on this topic, kindly stop misleading others and make your own mistakes in silence.

I can't help but find this a little ironic given the context of this story.

56 Marietta is a nice facility, though.

To get firmly back on topic, what you're suggesting is unworkable for many reasons. I've seen a few of those reasons firsthand.

Let's just set aside the fact that inverting and/or flipping images isn't exactly rocket science, as it takes at most three clicks of a mouse to perform such operations. The simple fact is the GP is right; this is essentially the same technique I used eight years ago to defeat a fingerprint scanner. The technique works quite well, and has been employed using many a beer glass in the past for CID purposes.

In an attempt to reassure yourself that you're somehow smarter than those around you, you kind of ignore the fact that there are people here who have actually done what is being described. Nice try, though. Sweet dreams, cupcake.

Since I love awful puns, I think that's funny :).

"ScheisseFS" wasn't a disparaging reference to ReiserFS, which is actually a very solid and capable filesystem. Instead, the joke was the link between the imaginary "ScheisseFS" and the phrase "shitty solution." Apparently, you were too dense to get that, along with whatever mods docked the original comment. Have a great day!

I could tell by the pixels.

I guess nobody got the joke.

I spent some time testing various workloads on ScheisseFS, but in the end it was just a shitty solution.

It's not a BFD until someone uses your nick and probably a good chunk of your chat history to produce communications that damage you or someone else via dirt simple social engineering. Also, in considering only your own case, you're failing to recognize the larger impact that might be experienced by others. That's okay, just keep going with your snide dismissal of gaping holes in service infrastructure. I've thought about problems like these since about 1994, and given your UID, you too should given some thought to the topic by now.

You must work for an outfit with a rather fast and loose approach to both infosec and quality assurance.