|Main Archive Page > Month Archives > full-disclosure-uk archives|
On Mon, Jan 5, 2009 at 11:46 AM, <Valdis.Kletnieks@vt.edu> wrote:
> On Mon, 05 Jan 2009 11:25:58 PST, Tim said:
>> Uh, no, actually CAs provide some weak assurance that the certificate is
>> the real one and associated with that server. A self-signed one
>> provides none. If you can't, in some way, authenticate the certificate
>> then SSL is not any better than sending data plain text.
> It's *slightly* better, in that it guards against passive sniffing attacks
> on the data in transit. You're right that it doesn't guard against an
> active MITM attack.
The prevailing use of self-signed certs on the Internet basically destroys the usefulness of HTTPS, since it trains users to simply click "add exception" and ignore the scary warnings "because then I get the lock icon, which means I'm safe!"
The browser security model should be changed to visually differentiate between "encrypted" and "authenticated", but that would require massive re-engineering of browser software, and lengthy re-education of lusers.
Given the option between no HTTPS and HTTPS via self-signed cert, you should choose the former if you're running a public website. If the connections really do need to be protected, stop being so effing stingy and cough up the $70 for a certificate signed by a CA that is in the default trusted bundle of major browsers. -- chort _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/