For most serious applications of SSL, not really...

Imagine you went to buy a book at Amazon and when you clicked on "checkout", you got a 
warning saying, "we're having a problem with our server and so you might get a browser warning 
about site name not matching certificate. Don't worry, just carry on and type in your credit card 
number anyway..." - would you?

I guess if you have a limited application where the server holds the 
confidential data and the clients are just browsing it and there's no 
conceivable risk of anyone impersonating the server to serve up false data, 
then maybe it would be enough. But if the clients have anything confidential to 
submit, you really need authentication as much as encryption - put it another 
way, if you send your money off in an armoured car, you'd better make sure the 
driver really goes to the bank.

The most we're talking about here is a username/password for forums/ftp/webmail. I definitely don't have the infrastructure in place for any serious e-commerce sites, nor would I want that kind of responsibility placed on my home business at this stage.

I'm curious, though, about your cautionary statements. In what way could this setup potentially be abused? Assume that the only people who use any SSL-encrypted services on my secondary domains are fully aware of my primary domain and know that I am the one handling their hosting. Thus, when they receive a warning message about their certificate, they'd see my name and know it's OK. Is there a way for a 3rd party to abuse this and hijack their data?

The only thing I can think of is if someone messed with their DNS so that they go to another server pretending to be me. But, even with authentication, the only way to truly prevent that would be to use "trusted" certs, which cost, what, $200? (something I don't have at the moment) As long as I'm self-signing, anyone can self-sign and pretend to be me.


Regards,
David P. Donahue
[EMAIL PROTECTED]
http://www.cyber0ne.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to