[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Pan-devel] ANN: SSL Support

From: Heinrich Mueller
Subject: Re: [Pan-devel] ANN: SSL Support
Date: Fri, 04 Nov 2011 09:23:57 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20111001 Thunderbird/7.0.1

Am 04.11.2011 02:38, schrieb Domain Admin:
On Wed, Oct 26, 2011 at 1:08 PM, Heinrich Müller<address@hidden>  wrote:
Am Wed, 26 Oct 2011 08:39:43 +0000 schrieb SciFi:

As it is, your code seems to be working fine.
But I can never figure-out if we're running SSL "for reals"
(yes the servers did reject/not-respond-to the "plain-text" setting
  but I don't think that is enough proof ;) ).
And the doubled i/o rate calculations are something that needs further
study, please (this is during header-fetch _and_ downloading-binaries).

Thank you for all your work.

I'll add certificate checking for later. Then a message would pop up if
that failed and would asked for user actions. For now, pan just assumes
that everything is fine. Securitywise this _could_ be a problem, so I'll
fix this is asap.

Even though I rarely use PAN anymore the work that you and others have
done has been great so I don't want this to be seen as a criticism but
I don't think the SSL support is complete unless there is certificate
checking.   The biggest attack on SSL are MITM using spoofed certs so
if someone is in a country like Libya (Or how it used to be) and
posting to a newsgroup to coordinate activities without certificate
checking they would never know that their traffic was being read as it
passed through the monitoring devices inline at the telco.   Or a more
mundane scenario may be at your local starbucks and someone plays MITM
on your traffic there.   If the library doesn't have a predefined set
of valid CA's maybe display the CA chain and information and let the
user approve it?   If that chain changes alert them?

Thank you again for all the work!

I totally agree. That's why this check is the top priority on my to-do-list.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]