[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

self-signed certificates (was Re: I'd like to get rid of pulseaudio but ...)

Chris Adams <cmadams hiwaay net> writes:
> HTTPS with an unknown self-signed cert is barely any more secure than
> unencrypted HTTP, since a man-in-the-middle attack could just be
> replacing the cert and decrypting all communications.

It is a shame that there isn't a simple documented way to add other CA's
to Firefox's approved list or some system global way to add CA's for all
programs looking for pki certs.

I for one don't really trust external CA's for access to my computers
since I don't know their verification policy.  For all I know one of
them can be tricked into handing out a *.wsrcc.com certificate.  I feel
much more secure knowing that anyone signing with my CA first has to get
hold of the signing key and then decrypt it.

As for the man-in-the-middle attack, I'd imagine the biggest usage case
is an eavesdropped-in-the-middle and not someone that was able to break
the data stream and insert themselves.  Having an encrypted channel with
a slightly nebulous endpoint is still better than having an unencrypted

Wolfgang S. Rupprecht              Android 1.5 (Cupcake) and Fedora-11

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]