On Wed, 2011-03-02 at 17:05 +0200, Clint Byrum wrote: > On Wed, 2011-03-02 at 08:45 -0500, Marc Deslauriers wrote: > > On Wed, 2011-03-02 at 08:23 +0000, Hakan Koseoglu wrote: > > > Forcing a naive system administrator to think about SSL & certificates > > > is at least something useful. Of course there should be abilities to > > > opt-out where SSL is not required. On the other hand, it's like saying > > > "on secured networks SSH is not required, telnet is all you need" and > > > I'm sure all of us would look at that sentence and mutter "insanity!". > > > > Please don't compare using password-protected SSH with using self-signed > > certificates. Using passwords instead of certificates with SSH has no > > impact on it's effectiveness against MITM attacks. Of course it's better > > then Telnet. > > > > It is trivial to MITM self-signed certs, thereby countering any security > > advantage by adding SSL. Of course, I assume that people who are > > clicking Accept in their browser aren't validating the SSL cert > > fingerprint, as technical SSH users are instructed to do. > > > > I think you're trivializing a decent analogy, though I agree its not > entirely the same. However, SSH carries the same fingerprint > verification problem that makes MITM just as simple on the first > connection. Most browser users will save the certificate and be warned > if it changes, just like the SSH user will be warned. > > The main difference is that ssh would generally be used by a more > conscientious user than a browser user. >
I totally agree. If web ssl self-signed certs were only for sysadmins who would know to validate the fingerprint and suspect something is wrong when they get a new browser warning, there would be a big advantage to turning it on. Unfortunately, that's not the case, and it's why you can't deploy self-signed certs to end users and expect any level of security. Marc. -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
