river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sim IJskes - QCG <...@qcg.nl>
Subject Re: Towards Internet Jini Services (trust)
Date Mon, 04 Oct 2010 12:57:48 GMT
On 10/04/2010 02:38 PM, Tom Hobbs wrote:
> Isn't that the basic underpinning of secure web traffic?
> Maybe I'm being overly simplistic, but if I browse to www.mybank.com a
> security handshake happens and then anything that server sends me, be it
> images, JavaScript, data etc, sends me I implicitly trust.  If I log into
> gmail.com or amazon.com or whatever, additional handshakes with those
> (code)servers happens again.
> If I get a service proxy from apache.org, then I can implicitly trust it.
>   If I download a service proxy from dodgyproxies.com, a site I've never
> heard of before, then I shouldn't be suprised if it trashed my machine.

Exactly. And if you want to download anything from another place than 
the original source, you have to trust the 'codeproxy' and add it to 
your trustlist (for downloading). You still have to verify the code 
against the trustlist for its certificate+codehash. It waters down the 
guarantees a bit, but only for the part of the spent bytes from your 
dataroaming plan. And maybe it would be wise to put that roque codeproxy 
on your 'i will never trust them again' list.

Gr. Sim

View raw message