SSL cert
Eric Anopolsky
erpo41 at gmail.com
Wed Oct 15 16:14:20 EDT 2008
On Wed, 2008-10-15 at 15:38 -0400, Derek Atkins wrote:
> Quoting Tommy Trussell <tommy.trussell at gmail.com>:
>
> >> Just accept the certificate and move on with life. Either that
> >> or find some trusted CA (meaning already in Firefox, IE, and Safari)
> >> that will provide free SSL Certs.
> >
> > I just looked around and see that GoDaddy has a "special" price of
> > $14.99 for an SSL certificate...
> >
> > http://www.godaddy.com/gdshop/compare/gdcompare_ssl.asp
> >
> > I haven't done business with them so I imagine the renewal might be
> > more expensive.
> >
> > Would a trusted certificate be useful for any other purposes, or is it
> > needed only for the list server?
>
> Nope, no other purpose than to get that warning to go away when
> people follow the HTTPS links to the server. Personally I see nothing
> wrong with self-signed certificates provided you save them forever.
> It's no worse than the security that SSH gives you.
I think HTTPS connections using self-signed SSL/TLS certificates are
worse than the security SSH gives you.
Self-signed certificates expose the user to man in the middle attacks.
There's no practical way to deal with this for a web site the user may
be visiting for the first time.
On the other hand, with SSH, typically the client has some preexisting
out-of-band relationship with the server (at least enough to get a login
and password). It's possible that the server's key fingerprint can be
verified through this channel.
> It's certainly not worth it to me to pay $15 just to help than one
> poor soul a year who gets confused by his browser and doesn't know
> to just accept it. The fact that Firefox is making it harder to
> accept self-signed certs doesn't help. :(
No, that certainly isn't cool. Self-signed certificates have a lot of
value, and there are certainly people out there who can't figure out
firefox's process for adding exceptions but who need help with gnucash.
Plus, rejecting self-signed certificates supports the idea that trust is
hierarchical rather than a web, which I think is an incorrect and
dangerous belief to hold.
Cheers,
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.gnucash.org/pipermail/gnucash-user/attachments/20081015/ccf3396f/attachment.bin
More information about the gnucash-user
mailing list