Re: [dev] Surf assumes all SSL connections are good, which is bad

From: David E. Thiel <>
Date: Tue, 9 Feb 2010 16:03:59 -0800

On Tue, Feb 09, 2010 at 06:56:39PM -0500, Kurt H Maier wrote:
> SSL can do two things:
> 1) provide site-to-site encryption

Without certificate verification in some form, you have no way of
knowing that. Your connection could be decrypted and re-encrypted by any
number of parties along the way with no way for you to detect it. In
surf's case, they don't even have to use a CN that matches the hostname.
SSL without verification provides no security guarantees whatsoever.
Received on Wed Feb 10 2010 - 00:03:59 UTC

This archive was generated by hypermail 2.2.0 : Wed Feb 10 2010 - 00:24:01 UTC