[Cryptography] [cryptography] STARTTLS for HTTP
Tony Arcieri
bascule at gmail.com
Sun Aug 31 16:18:48 EDT 2014
On Sun, Aug 31, 2014 at 6:42 AM, Florian Weimer <fw at deneb.enyo.de> wrote:
> > How is this functionally different from turning off the warning
> > about self-signed certificates, other than perhaps some obscure
> > address bar differences between http and https that non-geeks won't
> > understand?
>
> Turning off certificate warnings for everything would disable
> authentication for everyone, including those who have obtained proper
> certificates.
In this model, we have a mode for unauthenticated encryption where an
unverified cert is OK. It probably shouldn't reflect anything to the user
and give the same "white" bar as normal plaintext HTTP. But it does add
resilience against passive, blanket surveillance.
https certificate verification UX "research" (since the warnings given to
users seem to constantly be in flux) can continue as-is and unabated by the
addition of STARTTLS for HTTP. It should be completely transparent (except
to the passive surveillers)
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140831/8252bce3/attachment.html>
More information about the cryptography
mailing list