Full Disclosure mailing list archives
Re: FD / lists.grok.org - bad SSL cert
From: chort <chort0 () gmail com>
Date: Mon, 5 Jan 2009 13:11:53 -0800
On Mon, Jan 5, 2009 at 11:46 AM, <Valdis.Kletnieks () vt edu> wrote:
On Mon, 05 Jan 2009 11:25:58 PST, Tim said:Uh, no, actually CAs provide some weak assurance that the certificate is the real one and associated with that server. A self-signed one provides none. If you can't, in some way, authenticate the certificate then SSL is not any better than sending data plain text.It's *slightly* better, in that it guards against passive sniffing attacks on the data in transit. You're right that it doesn't guard against an active MITM attack.
The prevailing use of self-signed certs on the Internet basically destroys the usefulness of HTTPS, since it trains users to simply click "add exception" and ignore the scary warnings "because then I get the lock icon, which means I'm safe!" The browser security model should be changed to visually differentiate between "encrypted" and "authenticated", but that would require massive re-engineering of browser software, and lengthy re-education of lusers. Given the option between no HTTPS and HTTPS via self-signed cert, you should choose the former if you're running a public website. If the connections really do need to be protected, stop being so effing stingy and cough up the $70 for a certificate signed by a CA that is in the default trusted bundle of major browsers. -- chort _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: FD / lists.grok.org - bad SSL cert, (continued)
- Re: FD / lists.grok.org - bad SSL cert Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Valdis . Kletnieks (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Valdis . Kletnieks (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Valdis . Kletnieks (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Tim (Jan 05)
- The merits and uses of CAs Christopher Pritchard (Jan 05)
- Re: The merits and uses of CAs Valdis . Kletnieks (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert chort (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Volker Tanger (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Avraham Schneider (Jan 06)
- Re: FD / lists.grok.org - bad SSL cert Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert anonymous pimp (Jan 05)
- Re: anonymous pimp's ideas of list etiquette (was: FD / lists.grok.org - bad SSL cert) Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert A . L . M . Buxey (Jan 06)