Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What about the first time the user connects, how would they be assured that the fingerprint really is the site's and not a man in the middle?

Honest question, myself being pretty new to cryptography.



In theory, you could do an out-of-band comparison.

In practice, you'd generally accept that the first one you receive is valid, and then watch for deviations from there.

This is the way SSH works, for instance.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: