Full Disclosure mailing list archives
Re: FD / lists.grok.org - bad SSL cert
From: "Michael Krymson" <krymson () gmail com>
Date: Wed, 7 Jan 2009 10:47:57 -0600
Two exercises. 1. Put these three items in order of value to you. - website with no SSL at all but accepts logins - website with self-signed SSL - website with omg-the-world-trusts-it-because-it-cost-money SSL I think it becomes apparent that there is some value to the self-signed SSL, as Valdis mentioned. Sure, it doesn't protect against a mitm attack, but it does protect against raw sniffing, just like he originally said. In fact, value each of those on a scale of 100 (secured!) to 1 (not secured!). I imagine you'll find self-signed SSLs are closer to one than the other... 2. Let's say you run this mailing list and don't profit off it. Are you willing to pay for the SSL cert? Have you done a risk analysis? What exactly are you protecting by fending off some nasty MITM attack that wants to sniggle your login credentials for the full-disclosure mailing list, an unmoderated mailing list where I could pose as you and spoof email if I wanted? Are your mailing list settings really that important? My guess is there are three concerns: a. You use the same password on your mailing list account and other places. Shame on you if so...that's your problem. b. You are concerned someone might connect your IP/browser to the account dirtysecuritywhore () iwanttohide com. In which case, you should have been taking other measures anyway. c. You don't want ureleet unsubscribing you every day (face it, we ALL want to do this to netdev). Fine, this is valid, but really, who the hell will MITM you just so they can mess with you? Your ISP? Your flatmates on the same network as you? Basically speaking, the risks of managing your mailing list account via a self-signed SSL should be slim to none, and anyone who wants to argue the differences between self-signed certs and trusted ones should be smart enough to reduce their risk to nearly none despite the evul self-signed cert on the Internet.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- FD / lists.grok.org - bad SSL cert Gary Wilson (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Avraham Schneider (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Michael Krymson (Jan 07)
- Re: FD / lists.grok.org - bad SSL cert Anders B Jansson (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Rob Thompson (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Noel Butler (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Adrenalin (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert chort (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Rob Thompson (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Avraham Schneider (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Valdis . Kletnieks (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Tim (Jan 05)
- Re: FD / lists.grok.org - bad SSL cert Valdis . Kletnieks (Jan 05)