Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> The same way I know which real person is serving me the website. I don't I merely know that the owner doesn't change randomly.

Still doesn't explain how I'll confirm that if the website has not been intercepted by a middle man the first time I visit it.



In this case it isn't a middle man, but becomes the real website.


The very problem here is that I am not ok with middle man becoming the real website. If you are ok with that, you don't have a problem. You can use TOFU. Good for you. But I have a problem with that. So I can't use TOFU.


I'm saying that this is not your real problem. Your real problem is that you expect the "real website" to correspond to real world entities. And this can be solved better than the current state.


You mean it can't be solved with Let's Encrypt? Yes, I agree.

What about TLS certificates attested by CAs who validate the real world legal entity? Would you agree that this is a solved problem there?


Yes this solves it partially. The thing is that people assume that the green lock correspond to the domain name. It would be completely solved, if the browser would still show the validated company name, like it used to be, and then people would only validate that and the CA also validating that there are no similar names. The latter would essentially mean that there is a global coordination of CAs and that there only one entity on the whole world could have the same name, i.e. we only have one jurisdiction.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: