[H-GEN] https + apache

Russell Stuart russell at stuart.id.au
Fri Jul 18 22:26:17 EDT 2003 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

"Michael Anthon" <michael at anthon.net> said:
> >    All my questions arise from this f#*$)*! X509 cert.  If I could get
> >    rid of it then life would be easy.  Its all the more frustrating
> >    because I don't see how it raises the security of HTTPS.  It sole
> >    function seems to be yet another dismal failure from Netscape in
> >    its attempt to build a business.
> >
> I have similar feeiling about this.  I want to be able to use SSL to 
> secure the connection but I couldn't care less if the client believe I 
> am who I say I am (which is what CA signed certs is all about)

More to the point, the client (ie the browser) doesn't use the cert to
verify the merchant is who the user thinks it is.  Consider a recent
scam where someone created web pages that looked like a banks.
Then they tricked users into going to those pages, and then into 
handing over their bank account numbers and pins.  The only point 
of having a cert within SSL is to protect against this type of attack.
But it doesn't.  It is, as far as I can tell, a total waste of time, 
money and CPU cycles.

It would not of been hard to get this right.  When you first conncted
to the SSL merchant, the browser could always give you are warning,
and then save the url/cert combination for next time.  Providing the
cert matched the url no more warnings.  This is exactly what ssh
does now.  The current scheme of not giving a warning if the cert
has been signed does not strengthen the system.  It weakens it to
the point of being useless.

> >    If I don't want the "unsafe" message then I need a trusted root CA
> >
> This depends a bit on your target.  If it's J. RandomUser then you don't 
> really have a choice.  If you don'thave it signed by a root CA then they 
> will get the warning [1].  If it's targeted at machine you have control 
> over you can generally import extra certificates into the browser to 
> avoid the warnings.
> 
> I'm currently looking around myself, www.fressl.com seems to be 
> reasonably priced.

Thanks for the url.  Does anybody know of cheap SSL cert
providers?


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list