httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David P. Donahue" <ddona...@ccs.neu.edu>
Subject Re: [users@httpd] SSL And Virtual Hosts
Date Mon, 13 Mar 2006 16:13:48 GMT
> For most serious applications of SSL, not really...
> 
> Imagine you went to buy a book at Amazon and when you clicked on "checkout", you got
a warning saying, "we're having a problem with our server and so you might get a browser warning
about site name not matching certificate. Don't worry, just carry on and type in your credit
card number anyway..." - would you?
> 
> I guess if you have a limited application where the server holds the confidential data
and the clients are just browsing it and there's no conceivable risk of anyone impersonating
the server to serve up false data, then maybe it would be enough. But if the clients have
anything confidential to submit, you really need authentication as much as encryption - put
it another way, if you send your money off in an armoured car, you'd better make sure the
driver really goes to the bank.

The most we're talking about here is a username/password for 
forums/ftp/webmail.  I definitely don't have the infrastructure in place 
for any serious e-commerce sites, nor would I want that kind of 
responsibility placed on my home business at this stage.

I'm curious, though, about your cautionary statements.  In what way 
could this setup potentially be abused?  Assume that the only people who 
use any SSL-encrypted services on my secondary domains are fully aware 
of my primary domain and know that I am the one handling their hosting. 
  Thus, when they receive a warning message about their certificate, 
they'd see my name and know it's OK.  Is there a way for a 3rd party to 
abuse this and hijack their data?

The only thing I can think of is if someone messed with their DNS so 
that they go to another server pretending to be me.  But, even with 
authentication, the only way to truly prevent that would be to use 
"trusted" certs, which cost, what, $200? (something I don't have at the 
moment)  As long as I'm self-signing, anyone can self-sign and pretend 
to be me.


Regards,
David P. Donahue
ddonahue@ccs.neu.edu
http://www.cyber0ne.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message