[Operators] SSL certificates / private CAs / CACert issue

Jonas Wielicki xmpp-operators at sotecware.net
Sun Dec 16 21:35:11 UTC 2012

On 16.12.2012 22:12, Claudiu Curcă wrote:
> Excuse me, but why would anyone wish to use a nontusted CA and open themselves to MITM attacks when there are even recognized CAs which offer certificates for free? (StartSSL comes to mind first...)

That point is only relevant if you're rejecting unencrypted connections.
But that is not the point of the discussion: It is about rejecting
self-signed or “private” CAs in the context where unencrypted
connections _are_ accepted.

If an unencrypted connection is accepted, you're _always_ better using
an encrypted connection with a self-signed or whatever certificate,
because you are at least are protected against passive attacks just
reading the packets in-transit.

Jonas W.

More information about the Operators mailing list