Karl,
Everything you say is true, and if you install a the CA certificate into
the browser then you will have the secure connection that you want, however if
you don't have the CA cert in the browser then the server that you are talking
to may not be who you then they are, so what? - this is the opportunity for a
'man in the middle' attack.
Instead of this:
You -> server
You may have this:
You -> 'man in the middle' -> server
The man in the middle would make you believe that he is the server and he would
make the server believe that he is you.
Both https connections would be secure, but (here's the point) the man in the
middle would have the unencrypted data. This is similar to a previous thread on
ADH.
On top of this, depending on your server and clients there may be more of a
headache trying to use strong encryption, if everything is 'domestic strength'
then that's not an issue.
Mikey
Karl Denninger <[EMAIL PROTECTED]> on 03/03/2000 15:39:23
Please respond to [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc: (bcc: Mike Innes/Virgin Direct/GB)
Subject: Re: Certificate questions...
Hi John,
On Fri, Mar 03, 2000 at 10:06:19AM -0000, Airey, John wrote:
> Assuming we are talking about Thawte's server test certificates, they are
> only for use for one month. Using them helps you to understand how to
> install a real certificate without running the risk of destroying it (a very
> real risk with NT!)
Not really true. You can set the validity up to 365 days.
> They are not intended for production use. Thawte's own certificates are
> accepted by all browsers (AFAIK) and prove to those who connect to your site
> that you are the company that you say you are. This is what you pay for, and
> if you ask me it's well worth the money.
>
> If you don't intend to connect your site to the outside world, you can make
> your own certificates anyway. The documentation to do that comes with
> openssl.
>
> John
I'm NOT using SSL for ecommerce so "proving" something is worthless to me.
My entire and sole use for SSL on my web server is to ENCRYPT TRAFFIC. That
is, I don't CARE if someone believes I am who I say I am, but I very much
care that the CONTENT is not able to be picked off in transit.
For example, I receive faxes on my systems and store them in a private,
password-secured web directory. By ensuring that any access to that
directory or its contents requires SSL, I ensure that nobody can pick off
the traffic in transit and SEE the faxes that I may view from a remote
location. Since I use my fax system for things that I would consider
PRIVATE, this is important to me.
In this case I know damn well that I am who I say that I am, because I'm the
one connecting to the server. My *ONLY* use for SSL here is to PROTECT THE
DATA, *NOT* certify ownership.
Likewise, I might want to make data available to another person that I (1)
want to password protect for them, and (2) want to make CERTAIN is not
compromised in transit. HTTPS again does the job, but again, the
"certification" of who I claim to be is IRRELAVENT to the process.
There is NO WAY under the current paradigm that I've found to do this
without popping up warnings on every browser in existence. This is a
severe and serious shortcoming in the SSL software in those browsers,
as not *EVERYONE* is interested in using SSL for Ecommerce where the
identity of the owner of the connection is important!
As it stands I'll buy a cert from Thawte if I can jump through their hoops,
but for some people it is inherently NOT WHAT THEY WANT TO DO in passing
encrypted traffic (eg: vetting that the sender is who they say they are).
In fact, for SOME potential uses of secure communication, it is absolutely
anathema that either end be positively identifyable in this kind of fashion.
This is something that you SSL folks need to look into finding a way to
resolve - perhaps a public "CA" similar to the MIT keyring for PGP keys is
called for here - a place where you can "sign" a key but not jump through
said hoops, yet keep the silly warnings off the user's computers!
--
--
Karl Denninger ([EMAIL PROTECTED]) Web: http://childrens-justice.org
Isn't it time we started putting KIDS first? See the above URL for
a plan to do exactly that!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
********************************************************************************
Internet communications are not secure. This message is confidential to the intended
addressee. Any copying or distribution of it by anyone without the addressee's consent
may be unlawful. If you are not the intended addressee, please inform us immediately
and then delete this message.
Virgin Direct Personal Financial Service Ltd is regulated by the Personal Investment
Authority for life insurance, pension and unit trust business and represents only the
Virgin Direct marketing group. Registered office: Discovery House, Whiting Road,
Norwich NR4 6EJ, UK. Registered in England No. 3072766.
The Virgin One account is a secured personal bank account with The Royal Bank of
Scotland plc. It is provided by Virgin Direct Personal Finance Ltd which is a
representative only of Virgin Direct Personal Financial Service Ltd. Registered
office: Waterhouse Square, 138-142 Holborn, London EC1N 2TH, UK. Registered in England
no 3414708.
The Virgin Deposit Account is a personal deposit account with The Royal Bank of
Scotland plc administered by Virgin Direct Personal Financial Service Ltd.
********************************************************************************
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
