httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicholas Sherlock <n.sherl...@gmail.com>
Subject [users@httpd] Re: Low priced certificate?
Date Wed, 22 Jul 2009 16:16:30 GMT
André Warnier wrote:
> It is my understanding that we could set up our own "certificate 
> authority" (CA) and create our own server certificates.  A customer 
> browser, upon the first connection, would pop up some message indicating 
> that it cannot verify this certificate, and offering maybe to 
> "authorise" our own CA as a valid one.  Once they did this, the popup 
> would not happen again, and their communications with the website would 
> be encrypted (which is the main point of the exercise).

An attacker can use precisely the same mechanism to serve their own 
certificate. Your website will have carefully trained the user in 
advance to ignore all security warnings and accept the rogue 
certificate. What a waste of time. The only thing you're protecting 
against is a passive attacker.

Cheers,
Nicholas Sherlock


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message