Author: Roy Badami 2013-03-03 20:25:41
Published on: 2013-03-03T20:25:41+00:00
The conversation revolves around the ways certification authorities (CAs) verify authority. One person claims that many or most CAs verify by having you place a file at an HTTP path on the domain in question, while another person suggests that most CAs verify by emailing hostmaster/webaster@ or one of the contacts in the WHOIS. Both agree that these methods are subject to a Man-in-the-Middle (MitM) attack but are better than nothing. The suggestion of using an Extended Validation (EV) cert is made, but it is considered too expensive and still not foolproof. It is noted that this method only helps with the evil hotspot/tor_exit problem and also helps protect against DNS spoofing attacks. Despite the suggested use of GPG sigs, the person admits to being lazy about checking them.
Updated on: 2023-06-06T10:20:10.643009+00:00