full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] FD / lists.grok.org -

Re: [Full-disclosure] FD / lists.grok.org - bad SSL cert

From: chort <chort0_at_nospam>
Date: Mon Jan 05 2009 - 21:11:53 GMT
To: Valdis.Kletnieks@vt.edu

On Mon, Jan 5, 2009 at 11:46 AM, <Valdis.Kletnieks@vt.edu> wrote:
> On Mon, 05 Jan 2009 11:25:58 PST, Tim said:
>> Uh, no, actually CAs provide some weak assurance that the certificate is
>> the real one and associated with that server. A self-signed one
>> provides none. If you can't, in some way, authenticate the certificate
>> then SSL is not any better than sending data plain text.
> It's *slightly* better, in that it guards against passive sniffing attacks
> on the data in transit. You're right that it doesn't guard against an
> active MITM attack.

The prevailing use of self-signed certs on the Internet basically destroys the usefulness of HTTPS, since it trains users to simply click "add exception" and ignore the scary warnings "because then I get the lock icon, which means I'm safe!"

The browser security model should be changed to visually differentiate between "encrypted" and "authenticated", but that would require massive re-engineering of browser software, and lengthy re-education of lusers.

Given the option between no HTTPS and HTTPS via self-signed cert, you should choose the former if you're running a public website. If the connections really do need to be protected, stop being so effing stingy and cough up the $70 for a certificate signed by a CA that is in the default trusted bundle of major browsers. -- chort _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/