SSL cert

Graham Leggett minfrin at sharp.fm
Wed Oct 15 17:43:33 EDT 2008 

Eric Anopolsky wrote:

> There are a lot of nasty things people can do without performing a MITM
> attack, like eavesdropping on unencrypted connections. Self-signed
> certificates close that hole simply, quickly, and automatically.

If you created the self signed cert yourself, then sure. If you didn't, 
then the connection might as well be completely open.

> Also, anyone performing a MITM attack on a connection involving a server
> with a self-signed certificate will either have to keep it up forever or
> let the client see that the server's certificate has "changed." That's a
> pretty strong indicator that something fishy is going on. With
> unencrypted traffic, the client would get no such warning.

It is trivial to insert a man in the middle at an ISP, and you would 
never know. People are not security savvy enough to know when something 
fishy is going on. In fact it is hard enough to get people to understand 
the warnings in the first place, which is why FF goes to such lengths to 
stop you visiting such a page.

> I don't know anyone who works for Thawte, or where they store their
> private keys, or if they use good passphrases, or if they have any
> embarrassing secrets that could be used against them. When I do know
> these things, then I will sign their certificate with my own, at which
> point my email client should begin considering their signatures as
> meaningful. 

Use the appropriate level of security for your situation.

If the fact that the Mozilla project (by way of example) requires that a 
potential CA undergoes independent and audited verification of the 
procedures you list above isn't sufficient for your needs, then use a 
PGP key suitably signed to a level of trust you need, or set up your own 
private CA (as I have done for various purposes).

I personally think the Mozilla project's checks and balances are good 
enough for me, which is why I use their trust chain for email.

YMMV.

Regards,
Graham
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3287 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.gnucash.org/pipermail/gnucash-user/attachments/20081015/be6a6ba0/attachment.bin

More information about the gnucash-user mailing list