On Mon, 8 Jul 2002, Analysis & Solutions wrote:
> Allow me to emphasize Richard's point about not trusting certificate 
> authorities.  I have an SSL certificate.  It was fairly simple to get, 
> despite several discrepancies in my documentation.
> While it made things easier for me, which I'm thankful for.  Fortunately,
> I'm a legitimate operator.  But, it certainly demonstrates that subverting
> the process for nefarious reasons is a piece of cake.

But you're both ignoring the actual significant point (which I already 
made at great length, and feel somewhat like a sap for repeating):

Having a certificate signed by a recognized certificate authority provides 
at least some guarantee that you are communicating with the named party 
using somewhat reliable encryption.

On the other hand, if you connect with a remote site that has a
self-signed certificate, it's little better than using cleartext to port
80; almost anyone who would realistically have been in a position to snoop
on your HTTP traffic is also in a position to intercept and decode your
HTTPS traffic by masquerading as the remote host. So what's the point?

Self-signed certificates only make sense if you able to securely
distribute your signer's public key to your users in advance of the web
transaction. This is fine for internal or staff use, but it is pretty
unwieldy when you're dealing with the general public.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to