Re: [Full-disclosure] FD / lists.grok.org - bad SSL cert

From: <Valdis.Kletnieks_at_nospam>
Date: Mon Jan 05 2009 - 19:46:42 GMT
To: Tim <tim-security@sentinelchicken.org>

On Mon, 05 Jan 2009 11:25:58 PST, Tim said:
> Uh, no, actually CAs provide some weak assurance that the certificate is
> the real one and associated with that server. A self-signed one
> provides none. If you can't, in some way, authenticate the certificate
> then SSL is not any better than sending data plain text.

It's *slightly* better, in that it guards against passive sniffing attacks on the data in transit. You're right that it doesn't guard against an active MITM attack.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: Warren Myers: "Re: [Full-disclosure] to those who want moderation..."
Previous message: Tim: "Re: [Full-disclosure] FD / lists.grok.org - bad SSL cert"
In reply to: Tim: "Re: [Full-disclosure] FD / lists.grok.org - bad SSL cert"
Next in thread: Tim: "Re: [Full-disclosure] FD / lists.grok.org - bad SSL cert"
Reply: Tim: "Re: [Full-disclosure] FD / lists.grok.org - bad SSL cert"
Reply: Tim: "Re: [Full-disclosure] FD / lists.grok.org - bad SSL cert"
Reply: chort: "Re: [Full-disclosure] FD / lists.grok.org - bad SSL cert"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]