Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The other article on SPDY complained about it having SSL enabled by default. Is that really something to complain about? Isn't it one of the good things about it, because if SPDY gets adopted, it means everything becomes encrypted? And isn't that a very desirable future?


Having things encrypted is good, yes, but requiring people to get a certificate means that the web has fewer chokepoints, which is bad.

IMHO, SSL ought to use a fingerprint-comparison check, instead of a central cert. "This server has changed since last time. Is that OK?"


http://www.imperialviolet.org/2011/06/16/dnssecchrome.html

Using DNSSEC we can host the fingerprint of the cert in DNS at which point an CA is not required.


How is that a question that any end-user could be expected to answer with any kind of authority?


What about the first time the user connects, how would they be assured that the fingerprint really is the site's and not a man in the middle?

Honest question, myself being pretty new to cryptography.


In theory, you could do an out-of-band comparison.

In practice, you'd generally accept that the first one you receive is valid, and then watch for deviations from there.

This is the way SSH works, for instance.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: