On Wed, 2011-03-02 at 08:23 +0000, Hakan Koseoglu wrote: > Hi Clint, > > On 22 February 2011 22:56, Clint Byrum <[email protected]> wrote: > > This bug was opened recently: > > > > https://bugs.launchpad.net/bugs/695857 > > > > It suggests that packages should configure themselves to require SSL by > > default. > > > > I think this is actually a good idea, and I am wondering how this would > > be received by the greater community. > +1. It's a starting point. > > A good sample is SSH. You are not supposed to use password > authenticated based SSH and only use passphrase protected distributed > keys but hey, it's way better than Telnet in all cases! > > Forcing a naive system administrator to think about SSL & certificates > is at least something useful. Of course there should be abilities to > opt-out where SSL is not required. On the other hand, it's like saying > "on secured networks SSH is not required, telnet is all you need" and > I'm sure all of us would look at that sentence and mutter "insanity!".
Please don't compare using password-protected SSH with using self-signed certificates. Using passwords instead of certificates with SSH has no impact on it's effectiveness against MITM attacks. Of course it's better then Telnet. It is trivial to MITM self-signed certs, thereby countering any security advantage by adding SSL. Of course, I assume that people who are clicking Accept in their browser aren't validating the SSL cert fingerprint, as technical SSH users are instructed to do. Marc. -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
