Could we dispense with the ego-clanking, please? Really? Keep in mind that EVERYONE has the same problem regardless of your IQ level: for everything you know there are three to five things you do not know and at least one that you do not know you do not know. Accept that fact and life gets somewhat clearer. If I had known that this was the normal board-of-faire I would not have subscribed to this.
Jeff Fisher Omaha, NE -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, March 19, 2013 9:52 AM To: Tomcat Users List Subject: Re: SSL Best Practices -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Martin, On 3/19/13 7:34 AM, Martin Gainty wrote: > 1)Have you ever tried to coerce IE to accept a self-signed cert This is a trust issue, not a security issue. They are related, but not equivalent. > 2)if you purchase a pfx with a self-signed certificate sold to you by > chris_is_a_hacker.com for 1.00 then who do you think can break it I'm not sure what a PFX is, but the certificate itself is as strong as the key used to create it. If you generate a 1-bit key, you'll be hacked in 0 minutes. But nobody does that: we all create 4096-bit keys which, theoretically, can't be broken even by a well-funded adversary with unreasonably-limited computing power before the sun gets tired of shining. > The cert allows browser to contact the sites SSL connector..by > presenting credentials usually from a Name Server such as ADS or LDAP Woah, your algorithm has started to bring-in random bits of search results from the Internet. Time to re-set your learning tree and start again. > the real work involves breaking the algorithm implemented by the key Yup. Good luck with RSA and friends. > in order to establish Key exchange on a SSLv2 transport Anyone using SSLv2 is vulnerable, which is why it's no longer used. For a long time, now. > I sincerely doubt even chris_is_a-hacker can break any of the RSA > algorithms implemented by the key inside a versign.pfx While true, it's also true of your own self-signature. Verisign uses a 2048-bit key to sign everything. Most sites these days use 4096-bit keys (at least those I configure, apache.org, etc.). (Oddly enough, Facebook uses a 1024-bit key.) If you create a server cert with a 4096-bit key, you are creating a fairly secure certificate no matter who signs it. And, if you sign it yourself and keep the key secure (which is kind of impossible unless you are using a different key for signing than you do for the server's key) then you are doing better than any CA out there. Again, the CA is only there to provide a trusted 3rd-party: they have nothing to do with the security of the connection, the hackability of the server, etc. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlFIe4cACgkQ9CaO5/Lv0PBlOQCbBMGVp6wcP9aBJUunxWXNzmNz YRAAnjrY4vSZSX8KlE7mER287II6l6w9 =ADG9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
