<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div>On Aug 29, 2014, at 10:30 AM, Watson Ladd <<a href="mailto:watsonbladd@gmail.com">watsonbladd@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">On Fri, Aug 29, 2014 at 10:17 AM, Tao Effect <<a href="mailto:contact@taoeffect.com">contact@taoeffect.com</a>> wrote:<br><blockquote type="cite">I had checked the website the day prior to those tweets. Cert change<br>appeared a day later. That is why I was (and am still) convinced that it was<br>a MITM attack.<br></blockquote><br>Where the website owner confirmed that the new cert was correct?<br></blockquote><div><br class="webkit-block-placeholder"></div><div>Yes, see the tweets. It was an example of a revoked certificate being used in place of the new one (possibly compromised because of HeartBleed). Neither Chrome nor Firefox can reliably check to see if a certificate is revoked.</div><div><br></div><div><blockquote type="cite">The basic problem is that the only individual who knows what keys<br>should be associated with them, is the individual who owns the private<br>keys. And so you need to have a consistent, global view of that map,<br>which can get occasionally updated and have them check the correctness<br>of this map.</blockquote></div><div><br class="webkit-block-placeholder"></div><div>Yes, such a mapping is called "The Blockchain". :-)</div><div><br></div><div>DNSChain makes that mapping accessible to all devices (without needing to run a node or store the blockchain locally):</div><div><br></div><div><div><a href="https://github.com/okTurtles/dnschain">https://github.com/okTurtles/dnschain</a></div><div><br></div></div><div>Kind regards,</div><div>Greg Slepak</div><div>
<br class="Apple-interchange-newline"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">--</span><br style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">Please do not email me anything that you are not comfortable also sharing</span><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"> with the NSA.</span>
</div>
<br><div><blockquote type="cite"><br><blockquote type="cite"><br>This event serves as a real-world example of the community's reaction to<br>MITM attacks. It highlights extreme skepticism and apathy in spite of clear<br>evidence of a MITM attack.<br><br>Only major CA compromises that have affected giant companies (like Google)<br>get press.<br><br>This example shows that people on this list could be MITM attacked right<br>now, and in the unlikely event that they detected it, it may not matter<br>much. That is why I prefer systems that prevent MITM attacks from happening<br>in the first place, and without any ambiguity.<br></blockquote><br>What's the difference between the key associated to<br><a href="mailto:watsonbladd@gmail.com">watsonbladd@gmail.com</a> changing because I forgot a passphrase and<br>changing because it's been MITM'd? If you want to make addresses keys,<br>then you introduce a different set of problems, where the address<br>associated to an individual is changed.<br><br>The basic problem is that the only individual who knows what keys<br>should be associated with them, is the individual who owns the private<br>keys. And so you need to have a consistent, global view of that map,<br>which can get occasionally updated and have them check the correctness<br>of this map.<br><br>Sincerely,<br>Watson Ladd<br><br><blockquote type="cite"><br>Cheers,<br>Greg Slepak<br><br>--<br>Please do not email me anything that you are not comfortable also sharing<br>with the NSA.<br><br><br><br>_______________________________________________<br>Messaging mailing list<br><a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br>https://moderncrypto.org/mailman/listinfo/messaging<br><br></blockquote><br><br><br>-- <br>"Those who would give up Essential Liberty to purchase a little<br>Temporary Safety deserve neither Liberty nor Safety."<br>-- Benjamin Franklin<br></blockquote></div><br></body></html>