-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Casper the Friendly Ghost wrote:
>>that's how i was running intially, but i wanted a real ssl cert.
>>i got a trial now, you can check it out at https://lowmips.com
>>geez, these things are expensive!
>>what do you folks use for ssl?
There was a thread about cheap key signing authorities on gentoo-server
these days ([gentoo-server] cannot I save this LOTS of money?). In
short, you may look at
http://www.cacert.org/ free, but not yet accepted out of the box by all
browsers, or
> freessl.com has wildcard certs and they claim a very high percentage of browsers will accept them.
> well signing ssl certificates DOES make them more complete (so to say), but it
> is not entirely necessary...the point of having ssl on your http is so that
> encrypts your connection...getting it signed by one of those companies is
> worth if you have a company or something large like that and you provide
> several internet services.
Having an unsigned or selfsigned key may be all right for private use or
within a closed user group, but it surely is a security issue on public
sites. There is a comment about that on
http://www.heise.de/security/artikel/40073 (in german only, sorry).
In short the problem is the following: an encrypted connection is _not_
secure by default - it is only secure if you are sure that the
encryption key used is owned by the server you try to connect. So with
untrusted keys you would have to check the key fingerprint _and_ you
have to know the correct fingerprint.
This may not seem worth talking about to many on this list, but while
users not knowing about the (technical) details get used to ignore the
warning messages of their browser an attack will be very easy in the future.
So for public websites you should set up encryption correctly recognized
by browsers or don't encrypt at all.
> personally i just have my own ssl certificate on my server at home and it all
> works fine, except giving me a warning that it isn't signed. it still
> encrypts my connection, which is all i care about
...but the connection still is not secure until you check the key
fingerprint - to regard it as secure just because it seems to be the
correct content is an illusion.
Just my 2 cents talking about security.
Andreas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://enigmail.mozdev.org iD8DBQFBdjoFyMU6OiJ0xNoRAm6nAJoCbdjW5q5p0l2/LMT/yjSYEsZ0pQCfQ9V3
G1eoZIN1qHK/AEtAIAFUyLM=
=/r1n
-----END PGP SIGNATURE-----
--
gentoo-user@gentoo.org mailing list