basic auth request

[Chris Angelico]

On Wed, Aug 25, 2021 at 5:20 PM Barry Scott <barry at barrys-emacs.org> wrote:
>
> Only if this threat model matters to you or your organisation.
> Personal its low down of the threats I watch out for.
>
> The on-line world and the real-world are the same here.
>
> If a business changes hands then do you trust the new owners?
>
> Nothing we do with PKI certificates will answer that question.

Fair enough; but a closer parallel would be walking up to a
previously-familiar street vendor and seeing a different person there.
Did the business change hands, or did some random dude hop over the
counter and pretend to be a new owner?

But you're right, it's not usually a particularly high risk threat.
Still, it does further weaken the value of named SSL certificates and
certificate authorities; there's not actually that much difference if
the server just gave you a self-signed cert. In theory, the CA is
supposed to protect you against someone doing a DNS hack and
substituting a different server, in practice, anyone capable of doing
a large-scale DNS hack is probably capable of getting a very
legit-looking SSL cert for the name as well.

ChrisA