[ntp:questions] Re: 4.2.1-RC

David Woolley david at djwhome.demon.co.uk
Mon Mar 27 07:26:00 UTC 2006


In article <44262276.7000301 at ntp.isc.org>,
mayer at ntp.isc.org (Danny Mayer) wrote:

> In our case we don't want your credit cards, bank accounts, health info
> or any private information. About the only thing it gets used for is to
> protect passwords for people who've signed up. We are unlikely to buy a
> certified certificate for that.

In that case, don't use SSL.  Using SSL will give people a false sense
of security and possibly cause them to use passwords that are used for
other purposes that are more sensitive (I doubt many people use a 
different password for every site, and even if they do, the password 
could give a clue to the others).

The only purpose of your certificate is to trick the web server into
offering an unauthenticated connection, against its better judgement,
and probably against that of the browser.

If you still want to offer null authentication, and you are using an
openSSL based web server, you could try the effect of using "aNULL" as the
only permitted authentication scheme in the cipher specification string,
although I haven't tried this to see if common browsers will accept it -
any openSSL based browser with a default configuration is likely to
reject it, as openSSL will only use it if explicitly specified.  (If it
works, this tactic is still likely to give a false sense of security.)

Note the warning in the openSSL ciphers man page entry for this (this
is the same vulnerability as a self signed certificate which has not
been authenticated by out of band means):

       aNULL
           the cipher suites offering no authentication. This is
           currently the anonymous DH algorithms. These cipher
           suites are vulnerable to a "man in the middle" attack
           and so their use is normally discouraged.


david at djwhome:~$ openssl ciphers aNULL+MEDIUM
ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA:ADH-RC4-MD5
david at djwhome:~$
(I'm not sure that this should be offering DES-CBC, but it is a rather
old openSSL.)




More information about the questions mailing list