httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark H. Wood" <mw...@IUPUI.Edu>
Subject Re: [users@httpd] OpenSSL and apache2 wildcard self-signed certificate for nested subdomain
Date Wed, 14 Dec 2011 17:24:07 GMT
On Wed, Dec 14, 2011 at 02:04:37PM +0100, rey sebastien wrote:
[browsers don't trust certificates they haven't been told to trust]
> Is there any solution to bypass this problem ? With another type of 
> self signed certificate wich need no CA ? or contain the Ca i don't 
> know ?

That would be like taking the front door off of your house because
you're tired of unlocking it every day.

A self-signed certficate is, essentially, its own CA.  (Every "root"
CA certificate is self-signed.)  Browsers come with lists of CAs'
certificates which they are "told" to trust out-of-the-box.  If the
browser encounters a certificate which is not in that list, and which
is not signed by some unbroken chain of certificates which leads back
to a certificate in that list, then it complains, because it has no
way to know that you trust that certificate.  If you tell the browser
to trust that certificate, the browser will thereafter assume that you
know your own business and will not complain about it anymore.  The
dialog is asking:  whom do you trust?

If it were possible for a website to evade this, SSL/TLS would be
useless for verifying that you are talking to the website you think
you are.  The conversation would still be encrypted, but having an
encrypted conversation with an unknown party doesn't sound secure to
me.

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.

Mime
View raw message