Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It does. But what if StartSSL is compromised (or your connection is MITM'ed) and you're served a page that contains malicious javascript instead of the intended keygen tag? The only way to be sure would be to check the HTML...in addition to the rest of the learning curve of implementing SSL.


if startssl is compromised (and if start ssl doesn't use ssl, allowing for mitm), then I don't imagine you'd have much luck regardless

no matter what practices startssl uses, once your connection to them is compromised or once they are compromised, then the attacker can change what practices startssl suggests to its users.


> then the attacker can change what practices startssl suggests to its users.

Or just issue a cert on its own accord...


by that logic, do you read the source of your key generation binary and then compile it yourself?

or at least consult the md5 on your distill page before running it? oh and make sure md5sum is not altered either.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: