Hacker News new | ask | show | jobs
by PeterisP 2193 days ago
If don't trust a server, then any strong protocol that results in a secure shared secret or session key is trivially sidestepped by the server intentionally leaking these secrets or keys.
2 comments
ben_w 2193 days ago
Two interpretations of the same phrase:

1. Do you trust that 123.123.123.123 is the real https://example.com ?

2. Do you trust the real https://example.com to not leak?

The protocol is for 1. You’re right that nothing can help with 2.

link
dependenttypes 2193 days ago
I trust the server only after I verify its PK. SSH performs mutual authentication.
link