undefined | Better HN

0 pointsgojomo17y ago0 comments

OK, you agree SSL does protect savvy users from MITM attacks.

You're talking about users who can be tricked into what are essentially non-SSL or degraded SSL (certificates from untrustworthy authorities) sessions, because they misread the URL bar or ignore warnings. That's a legitimate concern, most users are easily tricked, but that's not a vulnerability of SSL itself.

0 comments

2 comments · 1 top-level

stcredzero17y ago· 1 in thread

My assertion is that you can't just use SSL and leave it at that. In that case, you're only going to protect savvy users, and not even all of those.

tptacek17y ago

That may or may not be true, but what is certain is that additional mucking around with salts, Javascript crypto, and protocols isn't going to improve the story you get with HTTPS.

j / k navigate · click thread line to collapse