[jdev] self signed cert

Marcel Waldvogel marcel.waldvogel at uni-konstanz.de
Thu May 5 06:04:22 UTC 2016


But then, you're better up setting upyour own CA between your clients and servers.

Viele Grüsse,
-Marcel Waldvogel
(kurz&bündig)

> Am 05.05.2016 um 07:09 schrieb DannyD <daniel.m.devine at gmail.com>:
> 
> They absolutely do.  If you construct your own chain (qualified answer: strong crypto, valid fields, proper chaining) , from end-to-end with only certs that you trust and control, you're 100%.
> 
> Hard is getting client (with only pinned cert) and server (with only pinned cert) combo deployed where you need.
> 
> Recommend this book:  http://www.amazon.com/gp/aw/d/1907117040/ref=mp_s_a_1_1?qid=1462424910&sr=8-1&pi=SY200_QL40&keywords=bulletproof+tls&dpPl=1&dpID=41QGf5IVA3L&ref=plSrch
> 
> Delivered by drones...
> 
>> On May 4, 2016 9:53 PM, "Marcel Waldvogel" <marcel.waldvogel at uni-konstanz.de> wrote:
>> But then again, these days, self-signed certs have no advantage over CA-signed certs.
>> 
>> Viele Grüsse,
>> -Marcel Waldvogel
>> (kurz&bündig)
>> 
>>> Am 04.05.2016 um 16:05 schrieb Dave Cridland <dave at cridland.net>:
>>> 
>>> 
>>> 
>>>> On 3 May 2016 at 19:10, Tomasz Sterna <tomek at xiaoka.com> wrote:
>>>> W dniu 03.05.2016, wto o godzinie 09∶40 -0700, użytkownik
>>>> lists at lazygranch.com napisał:
>>>> > I suspect you wouldn't want s2s to use a self signed cert, so
>>>> > allowing two level of verification (c2s and s2s) sounds complex. You
>>>> > fix one thing in software and you break something else.
>>>> 
>>>> So, why would you allow self-signed on C2S?
>>>> 
>>>> Why do you want to use encryption in the first place?
>>>> So, no one is able to read the conversation, right?
>>>> But self-signed cert does not give you this... Just a false illusion
>>>> that you are protected from evesdropping.
>>>> But self-signed does not protect you from man-in-the-middle attack, so
>>>> basically still anyone able to tap the wire your transmission is going
>>>> through is able to read it, with just slightly more effort.
>>> 
>>> I used to agree with you, but I've changed my mind over the years - it turns out that because it forces an attacker to switch from passive eavesdropping to active MITM, this is a blocker for the majority of attackers, especially opportunistic or mass-surveillance actors.
>>> 
>>> So a self-signed cert is better than no cert at all (even if you want something independently verifiable ideally).
>>>  
>>>> 
>>>> > I noticed the online documentation doesn't completely match the xml,
>>>> > but there are enough comments in the xml that I could get close to
>>>> > setting it up. It is just the certs that are confusing.
>>>> 
>>>> Yeah. The real and up to date source of documentation are the comments
>>>> in the configuration files.
>>>> 
>>>> 
>>>> --
>>>>  /o__
>>>> (_<^' Practice is the best of all instructors.
>>>> 
>>>> 
>>>> _______________________________________________
>>>> JDev mailing list
>>>> Info: http://mail.jabber.org/mailman/listinfo/jdev
>>>> Unsubscribe: JDev-unsubscribe at jabber.org
>>>> _______________________________________________
>>> 
>>> _______________________________________________
>>> JDev mailing list
>>> Info: http://mail.jabber.org/mailman/listinfo/jdev
>>> Unsubscribe: JDev-unsubscribe at jabber.org
>>> _______________________________________________
>> 
>> _______________________________________________
>> JDev mailing list
>> Info: http://mail.jabber.org/mailman/listinfo/jdev
>> Unsubscribe: JDev-unsubscribe at jabber.org
>> _______________________________________________
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20160505/1a64f1fb/attachment.html>


More information about the JDev mailing list