
Show HN: Sslhash: SSL without a certificate authority - jD91mZM2
https://github.com/jD91mZM2/sslhash
======
barrystaes
Rather pointless to compare the SSL certificate to a hash ofcourse. Why not
just compare it to a copy of the certificate. No need to obfuscate and allow
user to be fooled with changed hash.

~~~
jD91mZM2
The hash is a lot smaller and less likely to be subject of a copy-paste error
¯\\_(ツ)_/¯

------
lasdfas
How does expiration work? What happens if an TLS/SSL cert is
leaked/compromised? Change the clients as well?

~~~
nemothekid
You would probably need some sort of "authority" to redistribute the hashes.

~~~
lasdfas
One of the main reasons for the library is no need for cert authority. Why not
just create a regular cert Authority certificate and put the trusted authority
cert on the clients. That makes it so you almost never have to change the
clients certs. Also, it's supported by standard TLS libraries and clients.

~~~
jD91mZM2
True, didn't think of that. The server would still have to generate it using a
command though... I like having things automated.

------
Operyl
I’m confused, domains are not a barrier to entry (I’d argue that the developer
account is a much larger barrier). Why is this a needed thing?

~~~
hamandcheese
Not sure what you mean by developer account...

Anyway, if I understand correctly, this is basically just a user friendly
version of certificate pinning.

~~~
Operyl
Oops! For some reason I thought it was Swift at first. My bad, I understand it
a bit better now then :).

