Archives for posts with tag: tls

A few days ago I talked about how to fix TLS by ditching certificates and using public keys sent by the websites themselves to authenticate them. That proposal attracted quite some criticism. I realised I didn’t explain the idea very well. So here is an update, to address the comments and to explain the idea better and more precise. Read the original post for some more context and background.

Read the rest of this entry »

TLS secures the connection between your browser and the websites you visit (and a lot of other Internet connections that do not involve either a browser or a web server). TLS should provide confidentiality (so nobody can steal your passwords or see which webpages you are visiting), integrity (so nobody can modify the transactions you send to your bank) and authenticity. When properly used, TLS provides the first two guarantees, but it is increasingly becoming apparent that it fails to provide the latter: authenticity. The use of certificates (and the poor understanding of what authenticity on the web really means) is to blame.

(Note: I wrote an update to clarify and improve the idea, based on comments I received.)

Read the rest of this entry »

In de NRC van donderdag 22 oktober 2009 wordt een tweetal mogelijkheden gegeven waarmee met de OV chipkaart gefraudeerd zou kunnen worden. In beide gevallen zonder de ov chipkaart zelf te hacken of iets dergelijks, en zonder dat een conducteur de fraude zou opmerken.
(lees verder…)