Reply to post: Yeah, but CAs are not really that trustworthy

In non-startling news, EFF says STARTTLS email crypto is mostly done wrong

Christian Berger

Yeah, but CAs are not really that trustworthy

And checking CAs won't bring you much more security. In fact one could argue that since you already looked up the DNS record you already have a central system telling you you are talking to the right server.

Trusting in CAs either gives you an "E-Mail tax" where you give money to a company for a certificate, or it creates a centralized single point of failure by using "Let's Encrypt".

In any case, lifting the task of an attacker from simple sniffing to an active attack is already rather good. Realistically the next step would be to shake out all the missfeatures and bug out of TLS since that has, in recent years, been proven to be a far more problematic problem. (see Heartbleed)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021