The Lurker

Latest posts | Archive

posted by ajf on 2010-10-08 at 09:43 pm

National Novel Writing Month is imminent. I don't write fiction; for me, NaNoWriMo is just an annual reminder that I neglect my blog. I file this rant under "shit that is stupid that I cannot possibly hope to do anything about".

In an interesting discussion of decentralised addressing (as an alternative to centralised DNS), Daniel Kahn Gillmor writes (ending with slightly less emphasis than I'm using here):

If they're looking for John Smith because the word on the street is that John Smith is a good knitter and they need a pair of socks, they can just examine what information we each publish about ourselves, and decide on a sock-by-sock basis which of us best suits their needs.

But if they're looking for "John Smith" because their cousin said "hey, i know this guy John Smith. I think you would like to argue politics over a beer with him", then what matters is the introduction.

This is how HTTPS should work:

But this is how HTTPS actually works:

SSH uses a different method:

Supporters of HTTPS claim that their method is better, because even the first connection is verified by an organisation they trust. But consider the real risk that people actually face:

What you want is to know that, after a trusted introduction, that you are still communicating with the same party that you were introduced to. What HTTPS gives you instead is an assurance that the party is who they claim to be, even if that claim has been crafted to deceive you into thinking it is another party.

Related topics: Rants Web

All timestamps are Melbourne time.