Hacker News new | ask | show | jobs
by joelanders 4423 days ago
The site's audience is going to be technical.

She explains how to check the SSL certificate fingerprint here:

https://blog.patternsinthevoid.net/isis.txt

Once you've whitelisted her self-signed cert, you know from then on that you're not being MITMed (for what that's worth in a blog).
2 comments
pantalaimon 4423 days ago
If you are doing a MITM attack, you might as well change the content of isis.txt on the fly.
link
joelanders 4423 days ago
web of trust
link
delgaudm 4423 days ago
Except you can't get there unless you go past the warning.
link
joelanders 4423 days ago
There is an awkward period (after clicking past the warning and before verifying the signed SSL certificate fingerprint) which is no more or less safe than HTTP, but which is more cumbersome and might encourage often-bad behavior in some users. After verifying that the certificate is signed by her (which requires trusting her public key--more hoops), you get some benefit.

It's difficult to weigh the cost/benefit, and nobody is denying that PKI can be awkward.

/thread?

ed: ok, i guess we might still debate the cost/benefit of getting a free cert--i don't really know.

link