httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] Namebased Virtual Hosts
Date Tue, 17 Oct 2006 17:20:10 GMT
On 10/17/06, Serge Dubrouski <sergeyfd@gmail.com> wrote:
> On 10/17/06, Joshua Slive <joshua@slive.ca> wrote:
> > On 10/17/06, Gregor Schneider <rc46fi@googlemail.com> wrote:

> > > > And in addition, your second and third ssl sites are not going to work
> > > > properly.  You can only have one ssl site on each IP-address/port
> > > > combination because the SSL certificate is selected before the
> > > > hostname is known.
> > >
> > > Well, what  is going to happen  if I do specify more than one SSL-site per
> > > IP/port-pair? Do I just get the message that the cert is invalid (I could
> > > pretty much live with that)?
> >
> > Yes, you will have an invalid cert.  But note that SSL with an invalid
> > cert is no more secure than ordinary HTTP.  So this may be okay for
> > testing, but it doesn't provide any real security.
> >
> > Joshua.
> >
>
> Why?! Per my understanding the channel will be crypted anyway. Self
> signed certificate is invalid from the browser point of view as well,
> but it doesn't prevent crypting. Do I miss something?

The channel is encrypted, but you have no idea who encrypted it.  It
could, for example, be a "man in the middle" that puts himself on the
wire between you and server, decrypts the original content, stores it
for whatever nefarious purpose, and then re-encrypts it and sends it
to you.  Without a certificate that represents the server of origin,
you have no way of telling where it came from.  This attack is a
little more work than passively eavesdropping on a plain HTTP
connection, but it is very feasible.

Punchline: untrusted certificate = insecure connection

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message