Practice Cryptography!
Even with all of the cryptologic and cryptographic technology that has existed in the world for the past 60 years, we still don't really know what encryption is good for or how to use it -- or, more importantly, why it's important. Maybe it's time for people and coders to actually start practicing how to use it, like any other skill.Thursday, March 20, 2008
Why are trust errors automatically fatal?
Why are 'trust' errors automatically fatal?
I mean, you're moving along the web, trying to look at some svn repository that is using a self-signed certificate, and BAM! all of a sudden you're presented with a "can't verify the identity of this site" dialog.
There's no reason for this to be fatal. There's no reason for this to do anything more than pop up a balloon tip, and maybe pop up the warning dialog on a form submission. (And you might as well show balloon tips showing the verified subject information and what root it's verified through, too.)
Adium (and Pidgin) have a plug-in, OTR ('off-the-record') that show how to do this in a sane manner. "OTR session established, identity not verified." This is the kind of thing that we should have for ALL of our applications, not just our instant messengers.
I mean, if "cannot verify the identity of this site" were supposed to be a fatal error, then browsing via http would be brought to a screeching halt.
I mean, you're moving along the web, trying to look at some svn repository that is using a self-signed certificate, and BAM! all of a sudden you're presented with a "can't verify the identity of this site" dialog.
There's no reason for this to be fatal. There's no reason for this to do anything more than pop up a balloon tip, and maybe pop up the warning dialog on a form submission. (And you might as well show balloon tips showing the verified subject information and what root it's verified through, too.)
Adium (and Pidgin) have a plug-in, OTR ('off-the-record') that show how to do this in a sane manner. "OTR session established, identity not verified." This is the kind of thing that we should have for ALL of our applications, not just our instant messengers.
I mean, if "cannot verify the identity of this site" were supposed to be a fatal error, then browsing via http would be brought to a screeching halt.
Archives
2006-02-12 2006-02-19 2006-02-26 2006-03-05 2006-03-12 2006-03-19 2006-03-26 2006-04-02 2006-04-09 2006-04-16 2006-04-23 2006-07-23 2008-01-13 2008-01-20 2008-02-03 2008-02-17 2008-03-16 2008-04-06 2008-05-11
