[Operators] SSL certificates / private CAs / CACert issue

Claudiu Curcă claudiu at coderollers.com
Sun Dec 16 21:41:39 UTC 2012


From: operators-bounces at xmpp.org [mailto:operators-bounces at xmpp.org] On Behalf Of Jonas Wielicki
Sent: duminică, 16 decembrie 2012 22:35
To: operators at xmpp.org
Subject: Re: [Operators] SSL certificates / private CAs / CACert issue

> On 16.12.2012 22:12, Claudiu Curcă wrote:
> > Excuse me, but why would anyone wish to use a nontusted CA and open 
> > themselves to MITM attacks when there are even recognized CAs which 
> > offer certificates for free? (StartSSL comes to mind first...)
> 
> That point is only relevant if you're rejecting unencrypted connections.
> But that is not the point of the discussion: It is about rejecting self-signed or “private” CAs in the context where unencrypted connections _are_ accepted.
>
> If an unencrypted connection is accepted, you're _always_ better using an encrypted connection with a self-signed or whatever certificate, because you are at least are protected against passive attacks just reading the packets in-transit.
>
> regards,
> Jonas W.

Hello Jonas,

Fair point, although I find it very hard to believe that anyone nowadays  still runs an email server or Jabber server and hasn't completely turned off plaintext comms. Using plaintext comms for such communication is wrong on so many levels that I don't even want to get into such a discussion.
Even if still using the legacy ports (25/5222), TLS is there for a very good reason.

Claudiu




More information about the Operators mailing list