undefined | Better HN

0 pointsbandrami3y ago0 comments

It's like the larger holy war against self-signed certificates in TLS. They are strictly better than plaintext but there is software that will prefer a plaintext connection to self-signed TLS.

0 comments

4 comments · 1 top-level

Avamander3y ago· 3 in thread

Unverifiable security is not "strictly better" than plaintext.

bandramiOP3y ago

It is. In both cases you may be MiTMed, but with plaintext that MiTM session may also be eavesdropped upon.

This isn't really debateable. Unverified sig simply is strictly better.

Avamander3y ago

In both cases you can be eavesdropped upon. It really isn't debatable indeed, unverifiable security is not security.

bandramiOP3y ago

Nope. An unverified TLS session still cannot be examined by a third party. You know you are communicating with exactly one party, even if you don't know who that is.

Your attacker may share the data with a third party, but that's true of verified connections too.

4 more replies

j / k navigate · click thread line to collapse