[dev] Surf assumes all SSL connections are good, which is bad

From: Chris Palmer <chris_AT_noncombatant.org>
Date: Tue, 9 Feb 2010 15:09:47 -0800

I really like that Surf shows a red bar for HTTP connections and a green bar
for HTTPS connections. The trouble is, Surf has no store of CA certificates,
so can't be verifying server certificates. It is just assuming that any SSL
connection is good.

However, active network attacks are so easy to perform that saying "Well, at
least Surf defends against passive easvedropping" is not really good enough.
Letting people believe that any SSL connection is good is actually worse
than nothing, because it creates a false sense of security.

I have serious qualms about depending on CAs (the false sense of security
they engender is even more of a problem, I'd argue!), but regardless, Surf
needs *something*. Perhaps a straight-up SSH-style trust on first use (TOFU)
mechanism? Perhaps Perspectives? Perhaps some combination?
Received on Tue Feb 09 2010 - 23:09:47 UTC

This archive was generated by hypermail 2.2.0 : Tue Feb 09 2010 - 23:12:02 UTC