SSLegance
tz
thomas@mich.com
Thu Jul 25 18:01:46 PDT 2013
For the interim, the solution might be to have an extension that
besides pushing PFS (and alerting when it doesn't work) would cache
the Cert hashes or more and allow a browser (e.g. firefox) to run with
all CAs as untrusted, but then do a verification on a per-site basis.
The big hole in web page security is that there is the web page, then
there is the extra info like javascript and css.
So, for example, https://amazon.com might be accepted, but
https://images-na.cdn.azws.com is in the background ready to rewrite
the entire page.
And the page will be broken until you manually "view source" and open
a link and allow the cert/CA/page for the
javascript/css/images/metadata.
More information about the cypherpunks
mailing list