[ale] https

Wed Feb 13 15:02:11 EST 2002

I think that the certificate businesses (Verisign and Thwate) do some
research into the certificate holder to make sure that it is a "real"
business and not some 3l33t hax0r.... but I came across someone's
investigation where they basically had their pet dog as the head of a
fictional company that got a certificate.... (hmmm could this work so that I
can I claim my 2 dogs and the SO's 2 cat's as dependents on taxes?.. JUST
KIDDING ! ).  I also think that it is supposed to be set up something like
the public/private key authentication mechanism and also with browsers and
their "OK'ing" stuff when the cert is from Verisign/Thwate.  However, let us
not forget that a black hat got 9 certificate #'s that belonged to our dear
friends from Redmond.  Of course when it made the news MS made a patch that
would fix IE to not trust the 9 numbers (and what else it did I don't know).

It depends on what degree of security you want and how much you are willing
to do/pay for.  My last job just used a self generated certificate, but we
were not dealing with any e-commerce.

Basically you are correct in your summation concerning the cert pimps and
"joe the web guy".

Greg the web guy (not to be confused w/ joe the web guy)

> -----Original Message-----
> From: Geoffrey [mailto:esoteric at 3times25.net]
> Sent: Wednesday, February 13, 2002 2:18 PM
> To: ale at ale.org
> Subject: Re: [ale] https
>
>
> Denny Chambers wrote:
> > Here is a link to the modssl userguide, which talks about creating your
> > own self sign certificates. This will work on your ssl server, although
> > this method is not as secure as having a real certificate from a CA. On
> > the other hand this is a lot cheaper.
>
> Correct me if I'm wrong, but the security of a self signed certificate
> is no less then the security of a purchased one.  The only difference is
> that folks visiting your site might feel more comfortable finding the
> certificate is signed by one of the well known certificate rapists,
> rather then being signed by 'joe the web guy.'
>
> --
> Until later: Geoffrey		esoteric at 3times25.net
>
> "...the system (Microsoft passport) carries significant risks to
> users that
> are not made adequately clear in the technical documentation available."
> - David P. Kormann and Aviel D. Rubin, AT&T Labs - Research
> - http://www.avirubin.com/passport.html
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info.
> Problems should be
> sent to listmaster at ale dot org.
>
>
>

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.