undefined | Better HN

0 pointspilif7y ago0 comments

> (which isn't actually true)

how would I discern your self-signed certificate from the one served by the person arp-spoofing the gateway in a Starbucks?

0 comments

3 comments · 1 top-level

crankylinuxuser7y ago· 2 in thread

No cert chain for starters. The better answer here is some sort of "self signed standard data" for non-CA certs. But right now, testing in a NAT using HTTP2 is a ugly nonstarter.

pilifOP7y ago

> No cert chain for starters.

why would the person who arp-spoofs the gateway in the Starbucks not be able to fetch your self-signed cert chain and mint their own matching chain with the exact same metadata (but of course differing keys)?

crankylinuxuser7y ago

Then what's your proposal for NATted, self-contained (no gateway), and Tor Onion networks?

Sure, if I have a public IP and DNS records pointing towards it, I'm served by LE or a multitude other vendors. But that's a small number of machines on any network.

1 more reply

j / k navigate · click thread line to collapse