On 16.12.2012 22:12, Claudiu Curcă wrote: > Excuse me, but why would anyone wish to use a nontusted CA and open > themselves to MITM attacks when there are even recognized CAs which offer > certificates for free? (StartSSL comes to mind first...)
That point is only relevant if you're rejecting unencrypted connections. But that is not the point of the discussion: It is about rejecting self-signed or “private” CAs in the context where unencrypted connections _are_ accepted. If an unencrypted connection is accepted, you're _always_ better using an encrypted connection with a self-signed or whatever certificate, because you are at least are protected against passive attacks just reading the packets in-transit. regards, Jonas W.
