httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Dubrouski" <serge...@gmail.com>
Subject Re: [users@httpd] Namebased Virtual Hosts
Date Tue, 17 Oct 2006 18:10:59 GMT
On 10/17/06, Joshua Slive <joshua@slive.ca> wrote:
> On 10/17/06, Serge Dubrouski <sergeyfd@gmail.com> wrote:
> > On 10/17/06, Joshua Slive <joshua@slive.ca> wrote:
> > > On 10/17/06, Gregor Schneider <rc46fi@googlemail.com> wrote:
>
> > > > > And in addition, your second and third ssl sites are not going to
work
> > > > > properly.  You can only have one ssl site on each IP-address/port
> > > > > combination because the SSL certificate is selected before the
> > > > > hostname is known.
> > > >
> > > > Well, what  is going to happen  if I do specify more than one SSL-site
per
> > > > IP/port-pair? Do I just get the message that the cert is invalid (I could
> > > > pretty much live with that)?
> > >
> > > Yes, you will have an invalid cert.  But note that SSL with an invalid
> > > cert is no more secure than ordinary HTTP.  So this may be okay for
> > > testing, but it doesn't provide any real security.
> > >
> > > Joshua.
> > >
> >
> > Why?! Per my understanding the channel will be crypted anyway. Self
> > signed certificate is invalid from the browser point of view as well,
> > but it doesn't prevent crypting. Do I miss something?
>
> The channel is encrypted, but you have no idea who encrypted it.  It
> could, for example, be a "man in the middle" that puts himself on the
> wire between you and server, decrypts the original content,

Tell me how would you do that without server's private key????? It
doesn't matter who issued the certficate, encryption is always the
same, based on a server's private key. So you have to steal it first.

> stores it
> for whatever nefarious purpose, and then re-encrypts it and sends it
> to you.


Again where do you get the right private key to encrypt data?

>Without a certificate that represents the server of origin,
> you have no way of telling where it came from.  This attack is a
> little more work than passively eavesdropping on a plain HTTP
> connection, but it is very feasible.

The real problem with self signed certificates is that they don't
guarantee that company A to which certificate was issued to us really
company A and not something else. CA has to check all data that is put
into certificate before issuing it. But on other hand browser now
always contact CAs to verify certificates. Is OCSP enabled in your
browser by default?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message