[ntp:questions] Re: 4.2.1-RC

Danny Mayer mayer at ntp.isc.org
Sun Mar 26 05:11:18 UTC 2006


David Woolley wrote:
> In article <slrne27vp4.5u2.kostecke at stasis.kostecke.net>,
> Steve Kostecke <kostecke at ntp.isc.org> wrote:
> 
>> We are using a self-signed SSL certificate.
> 
> Which means that you have little more security than if you weren't using
> one at all (note although SSL can negotiate no authentication, I don't
> think that normal browsers or servers permit that - that's because an
> unauthenticated connection is basically insecure!).
> 
>> Most people choose accept this certificate
> 
> Most people don't understand the purpose of certificates.  They think
> they are used and needed for encryption, whereas encryption is perfectly
> possible with a purely transient public key, but is vulnerable to a
> man in the middle attack.  If they did understand them, they would be
> cautious of using the many e-commerce sites whose certificates don't
> match the business they think they are dealing with.  (One can probably
> trust Worldpay to authenticate their merchants, but many certificates are
> for unknown web hosting companies.)
> 
> Some will have made a conscious decision that either a man in the middle
> attack isn't likely or that they don't think the site needs encryption.
> 
> Even fewer will have made that decision first time, then saved the
> certificate, so that any man in the middle attack would have to be long
> term for it not to become exposed.
> 
>>                                            (hopefully after examining
>> it).
> 
> Anyone examining it should realise that, unless they take steps to
> authenticate the certificate by other means (a notorised paper copy of
> the fingerprint?), they could actually be talking to almost anyone.
> You look at certificates to see if you trust the counter-signatory,
> and to see if the subject name matches the organisation it purports to
> belong to well enough that no-one except that organisation could have
> convinced the counter-signatory to counter sign it.
> 
> The legitimate use of self signed certificates is where there is 
> another means used to distribute the certificate to the client, e.g.
> for Verisign, it comes with the browser, for a company's internal server,
> it's placed on the PCs by the IT department, or for a software support
> site, it came with the original software disk.
> 

In our case we don't want your credit cards, bank accounts, health info
or any private information. About the only thing it gets used for is to
protect passwords for people who've signed up. We are unlikely to buy a
certified certificate for that.

Danny



More information about the questions mailing list