They absolutely do. If you construct your own chain (qualified answer: strong crypto, valid fields, proper chaining) , from end-to-end with only certs that you trust and control, you're 100%.
Hard is getting client (with only pinned cert) and server (with only pinned cert) combo deployed where you need. Recommend this book: http://www.amazon.com/gp/aw/d/1907117040/ref=mp_s_a_1_1?qid=1462424910&sr=8-1&pi=SY200_QL40&keywords=bulletproof+tls&dpPl=1&dpID=41QGf5IVA3L&ref=plSrch Delivered by drones... On May 4, 2016 9:53 PM, "Marcel Waldvogel" <marcel.waldvo...@uni-konstanz.de> wrote: > But then again, these days, self-signed certs have no advantage over > CA-signed certs. > > Viele Grüsse, > -Marcel Waldvogel <https://me.uni.kn/marcel.waldvogel> > (kurz&bündig) > > Am 04.05.2016 um 16:05 schrieb Dave Cridland <d...@cridland.net>: > > > > On 3 May 2016 at 19:10, Tomasz Sterna <to...@xiaoka.com> wrote: > >> W dniu 03.05.2016, wto o godzinie 09∶40 -0700, użytkownik >> li...@lazygranch.com napisał: >> > I suspect you wouldn't want s2s to use a self signed cert, so >> > allowing two level of verification (c2s and s2s) sounds complex. You >> > fix one thing in software and you break something else. >> >> So, why would you allow self-signed on C2S? >> >> Why do you want to use encryption in the first place? >> So, no one is able to read the conversation, right? >> But self-signed cert does not give you this... Just a false illusion >> that you are protected from evesdropping. >> But self-signed does not protect you from man-in-the-middle attack, so >> basically still anyone able to tap the wire your transmission is going >> through is able to read it, with just slightly more effort. >> >> > I used to agree with you, but I've changed my mind over the years - it > turns out that because it forces an attacker to switch from passive > eavesdropping to active MITM, this is a blocker for the majority of > attackers, especially opportunistic or mass-surveillance actors. > > So a self-signed cert is better than no cert at all (even if you want > something independently verifiable ideally). > > >> >> > I noticed the online documentation doesn't completely match the xml, >> > but there are enough comments in the xml that I could get close to >> > setting it up. It is just the certs that are confusing. >> >> Yeah. The real and up to date source of documentation are the comments >> in the configuration files. >> >> >> -- >> /o__ >> (_<^' Practice is the best of all instructors. >> >> >> _______________________________________________ >> JDev mailing list >> Info: http://mail.jabber.org/mailman/listinfo/jdev >> Unsubscribe: jdev-unsubscr...@jabber.org >> _______________________________________________ >> >> > _______________________________________________ > JDev mailing list > Info: http://mail.jabber.org/mailman/listinfo/jdev > Unsubscribe: jdev-unsubscr...@jabber.org > _______________________________________________ > > > _______________________________________________ > JDev mailing list > Info: http://mail.jabber.org/mailman/listinfo/jdev > Unsubscribe: jdev-unsubscr...@jabber.org > _______________________________________________ > >
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
