[144536] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Sep 13 11:04:37 2011
To: Tei <oscar.vives@gmail.com>
In-Reply-To: Your message of "Tue, 13 Sep 2011 16:29:30 +0200."
<CACg3zYHrY7g1NhrrKGs=oPFKryr8pfvsrr=pxB5DY78Simx85Q@mail.gmail.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 13 Sep 2011 11:03:15 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1315926195_79123P
Content-Type: text/plain; charset=us-ascii
On Tue, 13 Sep 2011 16:29:30 +0200, Tei said:
> He, I just want to self-sign my CERT's and remove the ugly warning that
> browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
The warning is there for a *reason* - namely that if you have a self-signed
cert, a first time visitor has *zero* way to verify it's *your* self-signed
cert and not some hijacker's self-signed cert.
> just don't want to use cleartext for internet data transfer. HTTP is like
> telnet, and HTTPS is like ssh. But with ssh is just can connect, with
> browsers theres this ugly warning and "fuck you, self-signed certificate"
> from the browsers. Please make the pain stop!.
If you use SSH to connect, and either ignore the "host key has changed" or
"authenticity can't be established, continue connecting?" messages, you get
what you deserve - those are the *exact* same issues that your browser warns
about self-signed certs. And if you *don't* ignore them on SSH - why do you
want to ignore them on SSL?
Note that there's another big difference between SSH and SSL - the number of
people who are allowed to SSH to a given machine is (a) usually small and (b)
pre-identified up front. So if Fred gets an "unknown host key" while SSH'ing
to the server you just set up, that's probably not a big issue because you
presumably know who Fred is and just created an account for him, so you can
supply him with the footprint of the SSH host key to double-verify. That does
*not* scale to Internet-facing web services.
Of course, if you have a *private* *internal* webserver with limited users,
you're free to use a self-signed cert and use your browser's handy "Add
security exemption" dialog and check "Permanent".
--==_Exmh_1315926195_79123P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFOb3CzcC3lWbTT17ARAn7dAJ9Z0JSCsQ1VqUTBAwpQuoxlLjfh5wCfeTaG
Kl6vStPdDLSwnnF5Qao/hW0=
=0ZG6
-----END PGP SIGNATURE-----
--==_Exmh_1315926195_79123P--
