PHP, Python and Google Go Fail to Detect Revoked TLS Certificates

Discussion in 'privacy problems' started by Minimalist, Apr 1, 2016.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    This is such a broken overall system. I don't know what the answer is for clearnet, but the chain of trust is just too easy to compromise. I really like private certificates (like here) where we get a published cert fingerprint and my software verifies it before signing in. I only need to trust LWM, which I do, and I confirm a legit connection. I use half a dozen clearnet sites with a similar model. I'll take that over the chain of trust model all day long.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    This site doesn't use their own certificate any more. Now it's Let's Encrypt's certificate.
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    My bad, I forgot about that recent change. I have my system logging Wilder's fingerprints when I come in but have not signed in yet. I still verify them for consistency before signing in.

    Thanks for the reminder of the change. I need to go do some reading about susceptibility (key hijacks or MITM stuff). This is not a site where my risk factor is large, but still I like to confirm I am really logging into Wilder's.
     
Loading...