Re: self-signed certificates (was Re: I'd like to get rid of pulseaudio but ...)
On Sun, May 31, 2009 at 13:08:08 -0700, Wolfgang S. Rupprecht wolfgang.rupprecht+gnus200...@gmail.com wrote: As for the man-in-the-middle attack, I'd imagine the biggest usage case is an eavesdropped-in-the-middle and not someone that was able to break the data stream and insert themselves. Having an encrypted channel with a slightly nebulous endpoint is still better than having an unencrypted channel. For average Joes, the most common problem is going to be that their machine is compromized. Extra security of https over http for them is barely a blip. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
self-signed certificates (was Re: I'd like to get rid of pulseaudio but ...)
Chris Adams cmad...@hiwaay.net writes: HTTPS with an unknown self-signed cert is barely any more secure than unencrypted HTTP, since a man-in-the-middle attack could just be replacing the cert and decrypting all communications. It is a shame that there isn't a simple documented way to add other CA's to Firefox's approved list or some system global way to add CA's for all programs looking for pki certs. I for one don't really trust external CA's for access to my computers since I don't know their verification policy. For all I know one of them can be tricked into handing out a *.wsrcc.com certificate. I feel much more secure knowing that anyone signing with my CA first has to get hold of the signing key and then decrypt it. As for the man-in-the-middle attack, I'd imagine the biggest usage case is an eavesdropped-in-the-middle and not someone that was able to break the data stream and insert themselves. Having an encrypted channel with a slightly nebulous endpoint is still better than having an unencrypted channel. -wolfgang -- Wolfgang S. Rupprecht Android 1.5 (Cupcake) and Fedora-11 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: self-signed certificates (was Re: I'd like to get rid of pulseaudio but ...)
Once upon a time, Wolfgang S. Rupprecht wolfgang.rupprecht+gnus200...@gmail.com said: It is a shame that there isn't a simple documented way to add other CA's to Firefox's approved list or some system global way to add CA's for all programs looking for pki certs. For Firefox, you just have to publish the cert in DER format (with the MIME type application/x-x509-ca-cert). If you click on such a link, Firefox will ask you if you wish to trust the cert (and what classes of things you trust it for). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines