[vlc-devel] add support for https video streaming from websites with untrusted SSL certificates

[Juho Vähä-Herttua]

On 20.12.2010, at 23.06, Rémi Denis-Courmont wrote:
> There is no point in using TLS if you don't verify the certificates. In
> fact, Mozilla is making it quite hard to ignore the certificate errors
> these days. That's not an accident.

I agree with pretty much everything said in the email, but this part is crap. Even without certificate verification TLS is a lot better than plain HTTP, and sniffing the traffic would require a successful active MITM attack. Using TLS without certificate validation (even if it's just plain DH key exchange without signatures) prevents passive sniffers from reading the traffic and possibly finding out sensitive data. (HTTP session cookies)

I'm mostly referring to stuff like unencrypted wireless networks and the attacks like firesheep that became quite popular recently. Yeah, encryption without verification is not very effective, because anyone who gets in the middle and can block the packets can also replace the certificates. Calling it pointless is oversimplifying things.

I have no clue about what kind of cipher suites VLC supports in its TLS implementation, but I'd recommend using simple DHE cipher suites without the certificate if it's not going to be verified anyway. Simply ignoring the certificate validation is not right, which I believe is Rémi's point. I don't see why using VLC without certificate validation shouldn't be possible in some way, though.


Juho

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4258 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20101220/0f2af918/attachment.bin>