Chronology	Current Month	Current Thread	Current Date
[Year List] [Month List (current year)]	[Date Index] [Thread Index]	[Thread Prev] [Thread Next]	[Date Prev] [Date Next]

Re: [Phys-l] PHYS-L Website certified by an unknown authority

From: John Denker <jsd@av8n.com>
Date: Thu, 16 Feb 2006 15:23:51 -0500

Mark O. Kimball wrote:

The original list hosted by NAU did not use encrypted communication (at
least not to the archives) so the validity of the identity of the server
was not an issue for that list.

Does the list need a trusted authority? It is open to anyone wishing to
join and does allow public viewing of the archives. There is no real need
for secure access to the archives. However, a secure communication with
the pages used to modify an individual's settings is desirable.

Security is not a binary quantity. There is perhaps "more secure"
versus "less secure".

VeriSign states a certificate, valid for one year, costs $349. Since
Phys-l has a budget of $0 (unless I am severely misinformed), and is run
by volunteers, this cost would be out-of-pocket.

There are other places to shop for certificates, some of
them muuuuch cheaper.

It was my decision to use the https:// port exclusively so all
communication is encrypted (I tend to do this when possible). I could
simply allow most traffic to use the insecure http:// port and only pipe
communication with the membership modification pages through https://.

This decision makes sense to me.
1) It makes the traffic secure against passive attacks including
casual eavesdropping. I myself have a strong tendency to never
ask for a password unless the channel is secured by https or better.
2) It does not make the traffic secure against certain active attacks,
specifically, certain MITM attacks. Since active attacks are generally
much harder to mount than passive attacks, this is a definite increase
in security.
3) If you go to the phys-l website NOW and accept the certificate, you
will be protected even against active attacks mounted in the future.
The website will have what is called _persistence of identity_.
Also you can check that the certificate finger print is
60:61:d4:fa:5c:98:08:74:93:5b:b7:4e:bc:e4:9b:7d:34:fc:fe:64
I hereby certify that that key is the one *I* trust.

Bottom line: This level of security is entirely appropriate for the
task at hand.

References:
- [Phys-l] PHYS-L Website certified by an unknown authority
  - From: Jim Diamond <jimd@linfield.edu>
- Re: [Phys-l] PHYS-L Website certified by an unknown authority
  - From: "Mark O. Kimball" <mok2@enthalpy.physics.buffalo.edu>

Prev by Date: [Phys-l] unsubscribe
Next by Date: Re: [Phys-l] Relativisitic mass vs Invariant mass
Previous by thread: Re: [Phys-l] PHYS-L Website certified by an unknown authority
Next by thread: [Phys-l] tonight's nova on the neutrino
Index(es):
- Date
- Thread