walt posted on Wed, 02 May 2012 11:44:08 -0700 as excerpted: > I see that both of my (very low-budget) news providers use self-signed > certs anyway, so there is no protection from MITM possible in any case. > (Cheap is cheap ;)
That's not exactly true. As long as you either get the correct cert on the first connect (trusted first connect or get the cert via other channel, say via a secure web page that DOES have a properly signed cert... which is possible if they're actually doing financial transactions via that secure connection, many folks are careful enough not to do financial transactions over self-signed, at least), as long as that cert doesn't change, you can continue to trust it and it's as MitM- proof as any signed cert at the same encryption level, self-signed or not. Of course, if the first connection is compromised, or if either you or your client doesn't bother to check for consistency of cert after the first connection, /then/ someone could MitM it, but the idea is the same as with SSH, you gotta trust the channel you first get the cert with, but after that, you're protected as long as you're verifying that it's the same one each time. Actually, in that regard a self-signed is often more secure than a certified signing authority signed cert. Because most setups, browsers included, accept any properly signed certificate for the site and do NOT track changes, if for instance Iran hacks a signing authority and grants its own now signed certs for a site (as you're well aware if you follow such things, this actually happened, well, they're /reasonably/ sure it was Iran, it was SOMEONE using inappropriately certified certs), your browser won't let you know when the change, because they're all properly signed. But if the site uses self-signed certs and you accept the valid one, if it changes, at least to another self-signed, you'll normally get the usual warnings all over again, and can act accordingly. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman _______________________________________________ Pan-users mailing list Pan-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/pan-users
