Ah, but the man in the middle only gets one chance to mess with your cert. That 
is the first time you encounter the self signed cert, you trust it and it goes 
into your root store. So don't do that first encounter over public wifi. You 
could also just distribute the cert to those that need it. 

I know when I used a web hosting company to handle my email, I would yearly 
have to blindly trust the new cert. Granted I inspected it, but the mua didn't 
do anything to verify the cert. Now I suppose if I used Web based email, that 
might have been different.

I'm thick skinned to feel free to tell me if I got any part of this wrong.
  Original Message  
From: Tomasz Sterna
Sent: Tuesday, May 3, 2016 4:30 PM
To: jabberd2@lists.xiaoka.com
Reply To: jabberd2@lists.xiaoka.com
Subject: Re: self signed cert

W dniu 03.05.2016, wto o godzinie 12∶34 -0700, użytkownik
li...@lazygranch.com napisał:
> I'm not following you here. You still have encryption with a self
> signed cert, but no trust. But if you can't trust yourself, who else
> can you trust? 

If you have a reliable way of distributing your certificate, then yes.
But then you are acting as an CA, so why don't use a real one?

But if you just accept whatever cert server provides you with (like
most people connecting self-signed service), then you have no more
protection than on unencrypted connection.

> On public wifi without the self signed cert, the conversation could
> be read, not to mention login credentials.

Using man-in-the-middle attack, even the encrypted conversation could
be read - see above scenario with accepting server provided cert.

And the default configuration of jabberd2 is not to allow plain text
passwords on unencrypted channel, so you cannot read the login

> Take "letsencrypt" for example. Prior to adding their certificates to
> my root store, I could still get encryption, provided I let my
> browser go ahead. I just could trust the website identity. 

But you are not sure the identity. You could aswell trust the man-in-
the-middle proxying your communication and posing as the website.

> The Hong Kong Post Office is a CA, but I don't really trust them. ;-
> )‎ 

They passed the audit checking whether they reliably verify the
credentials before signing certs.

> But xmpp doesn't have the downgrade option. 

You do not need to downgrade to unencrypted channel. MITM can aswell
proxy an encrypted connection on both sides decrypting/encrypting on
flight. As long as clients accept self-signed certs blindly, without
consulting CA registry.

/o__ Documentation is like sex: when it is good, it is very, very good; and
(_<^' when it is bad, it is better than nothing.

Reply via email to