SSL cert

Eric Anopolsky erpo41 at gmail.com
Wed Oct 15 16:36:55 EDT 2008 

On Wed, 2008-10-15 at 22:09 +0200, Graham Leggett wrote:
> Self signed certificates are meaningless, anyone can impersonate your 
> server.

There are a lot of nasty things people can do without performing a MITM
attack, like eavesdropping on unencrypted connections. Self-signed
certificates close that hole simply, quickly, and automatically.

Also, anyone performing a MITM attack on a connection involving a server
with a self-signed certificate will either have to keep it up forever or
let the client see that the server's certificate has "changed." That's a
pretty strong indicator that something fishy is going on. With
unencrypted traffic, the client would get no such warning.

> The illusion that you have security is far worse than having no 
> security at all.

Agreed.

> Please don't spread this FUD around. Certificates exist for a reason, 
> and signature failure warnings should be taken seriously.

I would say that giving an illusion of security is exactly what the
hierarchical trust model for certificates does.

Regarding your message to the list, my client reports that "This message
is signed and valid meaning that it is very likely that this message is
authentic." When I view your certificate, it tells me that its reason
for the assertion is that your certificate was signed by the Thawte
Personal Freemail Issuing CA, which was signed by the Thawte Personal
Freemail CA.

I don't know anyone who works for Thawte, or where they store their
private keys, or if they use good passphrases, or if they have any
embarrassing secrets that could be used against them. When I do know
these things, then I will sign their certificate with my own, at which
point my email client should begin considering their signatures as
meaningful. 

Cheers,
Eric

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.gnucash.org/pipermail/gnucash-user/attachments/20081015/d50d4dde/attachment.bin

More information about the gnucash-user mailing list