From: [email protected] [mailto:[email protected]] On Behalf Of Jonas Wielicki Sent: duminică, 16 decembrie 2012 22:35 To: [email protected] Subject: Re: [Operators] SSL certificates / private CAs / CACert issue
> On 16.12.2012 22:12, Claudiu Curcă wrote: > > Excuse me, but why would anyone wish to use a nontusted CA and open > > themselves to MITM attacks when there are even recognized CAs which > > offer certificates for free? (StartSSL comes to mind first...) > > That point is only relevant if you're rejecting unencrypted connections. > But that is not the point of the discussion: It is about rejecting > self-signed or “private” CAs in the context where unencrypted connections > _are_ accepted. > > If an unencrypted connection is accepted, you're _always_ better using an > encrypted connection with a self-signed or whatever certificate, because you > are at least are protected against passive attacks just reading the packets > in-transit. > > regards, > Jonas W. Hello Jonas, Fair point, although I find it very hard to believe that anyone nowadays still runs an email server or Jabber server and hasn't completely turned off plaintext comms. Using plaintext comms for such communication is wrong on so many levels that I don't even want to get into such a discussion. Even if still using the legacy ports (25/5222), TLS is there for a very good reason. Claudiu
