> -----Original Message----- > From: cjder...@gmail.com [mailto:cjder...@gmail.com] On Behalf Of chris > derham > Sent: Tuesday, March 19, 2013 1:58 AM > To: Tomcat Users List > Subject: Re: SSL Best Practices > > > If the system is only for testing, or communicates with a limited > > number of systems (i.e., it is a firewalled backend system that only > > communicates with a front-end system), then again, a self-signed > certificate would be fine. > > +1 > > > I do agree that if this is a public facing system, or one in an > > organization with a large number of users that does not have its own > > CA infrastructure, then a commercial certificate would be the best > choice. > > Commercial certificate authorities are actively targeted by hackers, > and when they are broken into, the trust each os has configured of such > certificates can cause issues. The recent google ssl certificate issue > shows what happens when things go wrong. If users will access the site > via a browser, then the browser warning will confuse them/make them > used to ignoring security warnings. For applications communicating with > each other, a self signed certificate will actually be more secure than > a certificate authority issued certificate - assuming you trust your > internal security more than you trust that of a commercial certificate > authority. It all depends on what the certificate will be used for. > > Chris >
What you say is all true, but if the public is accessing the site, there is no real alternative to a commercial certificate, because there will be no way to ascertain the trust of the site at all, and as you say users will be confused by the browser warnings. Unfortunately, the security of the Internet is dependent on a relatively handful of commercial certificate authorities, several of whom have either been hacked, or who have not properly vetted requesters for certificates. Jeffrey Harris This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
