self-signed certificates (was Re: I'd like to get rid of pulseaudio but ...)
Wolfgang S. Rupprecht
wolfgang.rupprecht+gnus200905 at gmail.com
Sun May 31 20:08:08 UTC 2009
Chris Adams <cmadams at hiwaay.net> writes:
> HTTPS with an unknown self-signed cert is barely any more secure than
> unencrypted HTTP, since a man-in-the-middle attack could just be
> replacing the cert and decrypting all communications.
It is a shame that there isn't a simple documented way to add other CA's
to Firefox's approved list or some system global way to add CA's for all
programs looking for pki certs.
I for one don't really trust external CA's for access to my computers
since I don't know their verification policy. For all I know one of
them can be tricked into handing out a *.wsrcc.com certificate. I feel
much more secure knowing that anyone signing with my CA first has to get
hold of the signing key and then decrypt it.
As for the man-in-the-middle attack, I'd imagine the biggest usage case
is an eavesdropped-in-the-middle and not someone that was able to break
the data stream and insert themselves. Having an encrypted channel with
a slightly nebulous endpoint is still better than having an unencrypted
channel.
-wolfgang
--
Wolfgang S. Rupprecht Android 1.5 (Cupcake) and Fedora-11
More information about the fedora-list
mailing list