full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] FD / lists.grok.org -

Re: [Full-disclosure] FD / lists.grok.org - bad SSL cert

From: Michael Krymson <krymson_at_nospam>
Date: Wed Jan 07 2009 - 16:47:57 GMT
To: full-disclosure@lists.grok.org.uk

Two exercises.

  1. Put these three items in order of value to you.
    - website with no SSL at all but accepts logins
    • website with self-signed SSL
    • website with omg-the-world-trusts-it-because-it-cost-money SSL

I think it becomes apparent that there is some value to the self-signed SSL, as Valdis mentioned. Sure, it doesn't protect against a mitm attack, but it does protect against raw sniffing, just like he originally said. In fact, value each of those on a scale of 100 (secured!) to 1 (not secured!). I imagine you'll find self-signed SSLs are closer to one than the other...

2. Let's say you run this mailing list and don't profit off it. Are you willing to pay for the SSL cert? Have you done a risk analysis? What exactly are you protecting by fending off some nasty MITM attack that wants to sniggle your login credentials for the full-disclosure mailing list, an unmoderated mailing list where I could pose as you and spoof email if I wanted? Are your mailing list settings really that important?

My guess is there are three concerns:
a. You use the same password on your mailing list account and other places. Shame on you if so...that's your problem. b. You are concerned someone might connect your IP/browser to the account dirtysecuritywhore@iwanttohide.com. In which case, you should have been taking other measures anyway.
c. You don't want ureleet unsubscribing you every day (face it, we ALL want to do this to netdev). Fine, this is valid, but really, who the hell will MITM you just so they can mess with you? Your ISP? Your flatmates on the same network as you?

Basically speaking, the risks of managing your mailing list account via a self-signed SSL should be slim to none, and anyone who wants to argue the differences between self-signed certs and trusted ones should be smart enough to reduce their risk to nearly none despite the evul self-signed cert on the Internet.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/