On Tue, Dec 09, 2003 at 01:48:49AM +0800, Winelfred G. Pasamba wrote: > about SSL (stunnel, postgresql's hostssl). how can we be sure the client > is not fake? if we make a local CA, how can we be sure the local CA is > not fake? >
Note: SSL cannot help you if your hosts are themselves insecure. As Bruce Schneier laments in an issue of Crypto-Gram, the use of SSL these days looks like heavy armored cars being used to transport goods between ragged bums on park benches. If either host communicating via SSL is compromised, SSL is worthless. I suggest you attempt to harden your hosts as best you can before you get your hosts to communicate securely. If you can't trust the security of your own hosts, you're totally screwed in any case, and no cryptography will save you. You do trust yourself and your hosts, right? A self-signed certifcation authority you make and whose private key you have absolute control over should be sufficient for your needs, provided your hosts are secure and you keep your CA private key safe. Your CA certifies the public keys for your hosts (creating a public key certificate), and all of your hosts have a copy of the CA's public key. To make two hosts communicate, they exchange certificates. They verify the digital signature of the CA on the certificate, and if both match, the authentication protocol succeeds and they use their exchanged public keys to communicate. To do a MITM attack, an attacker would need the ability to sign her own bogus certificates, which is impossible unless she can break RSA or obtain a copy of the CA private key (which you should be keeping safe). Frankly, I wouldn't use stunnel if you can avoid it. That's like a band-aid that is suitable only as an interim solution. Use the application's real SSL support whenever available. For a true VPN, I can do no better than to point you to the FreeS/WAN project. The other Linux VPN solutions available seem to be little better than Microsoft PPTP. -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
