Encryption without a certification layer is (partly) useless - Written by dolanor @ friday 20 september 2013, 16:15

https://tanguy.ortolo.eu/blog/article104/encryption-without-certification-layer en a blog about Debian and self-hosting Fri, 20 Sep 2013 16:15:00 +0000 PluXml Encryption without a certification layer is (partly) useless - Written by dolanor @ friday 20 september 2013, 16:15 https://tanguy.ortolo.eu/blog/article104/encryption-without-certification-layer/#c1379693753-1 https://tanguy.ortolo.eu/blog/article104/encryption-without-certification-layer/#c1379693753-1 Except that a shared secret could be a simple, uncomplicated password that you whisper in one's ear. Saying the full fingerprint or the full public key in base64 or hexa would be less practical. I agree though that giving a usb key could be an easy solution though Fri, 20 Sep 2013 16:15:00 +0000 dolanor Encryption without a certification layer is (partly) useless - Written by Tanguy @ tuesday 18 june 2013, 07:39 https://tanguy.ortolo.eu/blog/article104/encryption-without-certification-layer/#c1371541146-1 https://tanguy.ortolo.eu/blog/article104/encryption-without-certification-layer/#c1371541146-1 @Sebastian Weisgerber : Well, if you can meet someone to define or check a shared secret, you might as well exchange public keys with each other… Tue, 18 Jun 2013 07:39:00 +0000 Tanguy Encryption without a certification layer is (partly) useless - Written by Sebastian Weisgerber @ tuesday 18 june 2013, 07:13 https://tanguy.ortolo.eu/blog/article104/encryption-without-certification-layer/#c1371539617-1 https://tanguy.ortolo.eu/blog/article104/encryption-without-certification-layer/#c1371539617-1 Authentication really matters in encryption. But there are possibilities without certificates, to ensure the identity of the person you are talking to, or at least to prevent MitM attacks. See for example ZRTP for voice encryption or OTR for message encryption. With the aid of shared secrets, you can _increase_ the likeliness, that the identity is correct, but you can't be 100% sure. If someone steals your contact's phone or your contact person is extorted while talking to you, third parties can still eavesdrop your communication... => At least one party knows what happened in these scenarios, which doesn't help if your are the unaware one... Tue, 18 Jun 2013 07:13:00 +0000 Sebastian Weisgerber Encryption without a certification layer is (partly) useless - Written by Tanguy @ monday 17 june 2013, 19:19 https://tanguy.ortolo.eu/blog/article104/encryption-without-certification-layer/#c1371496762-1 https://tanguy.ortolo.eu/blog/article104/encryption-without-certification-layer/#c1371496762-1 @Anonymous : Yes, there is value, I just wanted to react to the many articles saying that this or that cannot be eavesdropped, which is often simply wrong. Mon, 17 Jun 2013 19:19:00 +0000 Tanguy Encryption without a certification layer is (partly) useless - Written by Anonymous @ monday 17 june 2013, 18:47 https://tanguy.ortolo.eu/blog/article104/encryption-without-certification-layer/#c1371494823-1 https://tanguy.ortolo.eu/blog/article104/encryption-without-certification-layer/#c1371494823-1 There *is* value in opportunistically preventing non-MITM eavesdropping. Not as much value, but value. Mon, 17 Jun 2013 18:47:00 +0000 Anonymous Tanguy Ortolo - Encryption without a certification layer is (partly) useless - Comments