[ale] https

Geoffrey esoteric at 3times25.net
Wed Feb 13 16:01:47 EST 2002 

All this talk about security is a twofold issue.  When I talk about 
security, I'm referring to the actual software.  That is, both ssl using 
a self signed certificate and ssl using a verisign signed certificate 
use the same code, hence they have the same security.

Now whether you get a warm and fuzzy feeling when you see the Verisign 
has signed the cert. verses joe bob's certificate signing co. is really 
an individual issue.  Grant it, if you're visiting a site you don't know 
the folks, you probably want a cert. signed by one of the big boys.  If 
you're putting up your own site for your customers/employees to access, 
I'd say, save the cash, create your own cert.

Greg wrote:
> I think that the certificate businesses (Verisign and Thwate) do some
> research into the certificate holder to make sure that it is a "real"
> business and not some 3l33t hax0r.... but I came across someone's
> investigation where they basically had their pet dog as the head of a
> fictional company that got a certificate.... (hmmm could this work so that I
> can I claim my 2 dogs and the SO's 2 cat's as dependents on taxes?.. JUST
> KIDDING ! ).  I also think that it is supposed to be set up something like
> the public/private key authentication mechanism and also with browsers and
> their "OK'ing" stuff when the cert is from Verisign/Thwate.  However, let us
> not forget that a black hat got 9 certificate #'s that belonged to our dear
> friends from Redmond.  Of course when it made the news MS made a patch that
> would fix IE to not trust the 9 numbers (and what else it did I don't know).
> 
> It depends on what degree of security you want and how much you are willing
> to do/pay for.  My last job just used a self generated certificate, but we
> were not dealing with any e-commerce.
> 
> Basically you are correct in your summation concerning the cert pimps and
> "joe the web guy".
> 
> Greg the web guy (not to be confused w/ joe the web guy)
> 
> 
>>-----Original Message-----
>>From: Geoffrey [mailto:esoteric at 3times25.net]
>>Sent: Wednesday, February 13, 2002 2:18 PM
>>To: ale at ale.org
>>Subject: Re: [ale] https
>>
>>
>>Denny Chambers wrote:
>>
>>>Here is a link to the modssl userguide, which talks about creating your
>>>own self sign certificates. This will work on your ssl server, although
>>>this method is not as secure as having a real certificate from a CA. On
>>>the other hand this is a lot cheaper.
>>>
>>Correct me if I'm wrong, but the security of a self signed certificate
>>is no less then the security of a purchased one.  The only difference is
>>that folks visiting your site might feel more comfortable finding the
>>certificate is signed by one of the well known certificate rapists,
>>rather then being signed by 'joe the web guy.'
>>
>>--
>>Until later: Geoffrey		esoteric at 3times25.net
>>
>>"...the system (Microsoft passport) carries significant risks to
>>users that
>>are not made adequately clear in the technical documentation available."
>>- David P. Kormann and Aviel D. Rubin, AT&T Labs - Research
>>- http://www.avirubin.com/passport.html
>>
>>
>>---
>>This message has been sent through the ALE general discussion list.
>>See http://www.ale.org/mailing-lists.shtml for more info.
>>Problems should be
>>sent to listmaster at ale dot org.
>>
>>
>>
>>
> 
> 


-- 
Until later: Geoffrey		esoteric at 3times25.net

"...the system (Microsoft passport) carries significant risks to users that
are not made adequately clear in the technical documentation available."
- David P. Kormann and Aviel D. Rubin, AT&T Labs - Research
- http://www.avirubin.com/passport.html


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list