I'm not following you here. You still have encryption with a self signed cert,
but no trust. But if you can't trust yourself, who else can you trust?
On public wifi without the self signed cert, the conversation could be read,
not to mention login credentials.
Take "letsencrypt" for example. Prior to adding their certificates to my root
store, I could still get encryption, provided I let my browser go ahead. I just
could trust the website identity.
The Hong Kong Post Office is a CA, but I don't really trust them. ;-)
For private use, self signed is fine. Note than in email, you generally set up
the mta with "may encrypt". That is how the MITM hacks your email my stripping
SSL then allowing a downgrade. (Neither rain nor snow nor a MITM, the mail must
go through.) But xmpp doesn't have the downgrade option.
From: Tomasz Sterna
Sent: Tuesday, May 3, 2016 11:12 AM
Reply To: firstname.lastname@example.org
Cc: Jabber/XMPP software development list
Subject: Re: self signed cert
W dniu 03.05.2016, wto o godzinie 09∶40 -0700, użytkownik
> I suspect you wouldn't want s2s to use a self signed cert, so
> allowing two level of verification (c2s and s2s) sounds complex. You
> fix one thing in software and you break something else.
So, why would you allow self-signed on C2S?
Why do you want to use encryption in the first place?
So, no one is able to read the conversation, right?
But self-signed cert does not give you this... Just a false illusion
that you are protected from evesdropping.
But self-signed does not protect you from man-in-the-middle attack, so
basically still anyone able to tap the wire your transmission is going
through is able to read it, with just slightly more effort.
> I noticed the online documentation doesn't completely match the xml,
> but there are enough comments in the xml that I could get close to
> setting it up. It is just the certs that are confusing.
Yeah. The real and up to date source of documentation are the comments
in the configuration files.
(_<^' Practice is the best of all instructors.