nanog mailing list archives
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
From: Valdis.Kletnieks () vt edu
Date: Tue, 13 Sep 2011 11:03:15 -0400
On Tue, 13 Sep 2011 16:29:30 +0200, Tei said:
He, I just want to self-sign my CERT's and remove the ugly warning that browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
The warning is there for a *reason* - namely that if you have a self-signed cert, a first time visitor has *zero* way to verify it's *your* self-signed cert and not some hijacker's self-signed cert.
just don't want to use cleartext for internet data transfer. HTTP is like telnet, and HTTPS is like ssh. But with ssh is just can connect, with browsers theres this ugly warning and "fuck you, self-signed certificate" from the browsers. Please make the pain stop!.
If you use SSH to connect, and either ignore the "host key has changed" or "authenticity can't be established, continue connecting?" messages, you get what you deserve - those are the *exact* same issues that your browser warns about self-signed certs. And if you *don't* ignore them on SSH - why do you want to ignore them on SSL? Note that there's another big difference between SSH and SSL - the number of people who are allowed to SSH to a given machine is (a) usually small and (b) pre-identified up front. So if Fred gets an "unknown host key" while SSH'ing to the server you just set up, that's probably not a big issue because you presumably know who Fred is and just created an account for him, so you can supply him with the footprint of the SSH host key to double-verify. That does *not* scale to Internet-facing web services. Of course, if you have a *private* *internal* webserver with limited users, you're free to use a self-signed cert and use your browser's handy "Add security exemption" dialog and check "Permanent".
Attachment:
_bin
Description:
Current thread:
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases, (continued)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tony Finch (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tei (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Brett Frankenberger (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Peter Kristolaitis (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases David Israel (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Lou Katz (Sep 14)
- Opta revokes Diginotar TTP license (Was: Microsoft deems all DigiNotar certificates untrustworthy, releases) Jeroen Massar (Sep 14)
- Re: Opta revokes Diginotar TTP license (Was: Microsoft deems all DigiNotar certificates untrustworthy, releases) Always Learning (Sep 14)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Michiel Klaver (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Jima (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Ted Cooper (Sep 13)