This particular problem is caused by folks disabling the SSL stack's built-in chain validation and then not implementing their own. Whether the certificate authorities are trustworthy is another question, of course. The current versions of SSL/TLS are never vulnerable to man-in-the-middle attacks unless a trusted certificate authority is compromised (as long as both client and server implement RFC 5746). The problem with self-signed on the public HTTPS web is that there's too many sites for it to be at all practical for you to acquire all their self-signed public certificates before connecting to any of them that advantage (of the CA system) ceases to be very relevant on a closed system such as an intranet, though larger intranets can go for things like a private CA.Įxpired certificates or non-matching host certificates are a demonstration of poor deployment. Public HTTPS does it in a particular pattern, but a self-signed certificate also works (provided you've distributed the server's public key to clients in a trusted way first). ![]() ![]() It's important that clients verify the identity of the servers to which they connect, but they can do so in many ways. ![]() That allows you to have a wonderfully secure conversation with whoever is snooping. TFA also doesn't understand that sometimes you don't care that much about MITM, just that the traffic is encrypted to make the current session opaque.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |