1)Have you ever tried to coerce IE to accept a self-signed cert 2)if you purchase a pfx with a self-signed certificate sold to you by chris_is_a_hacker.com for 1.00 then who do you think can break it
The cert allows browser to contact the sites SSL connector..by presenting credentials usually from a Name Server such as ADS or LDAP the real work involves breaking the algorithm implemented by the key in order to establish Key exchange on a SSLv2 transport I sincerely doubt even chris_is_a-hacker can break any of the RSA algorithms implemented by the key inside a versign.pfx 'Nuf Said Martin ______________________________________________ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > From: jeffrey.har...@mantech.com > To: users@tomcat.apache.org; ch...@derham.me.uk > Date: Tue, 19 Mar 2013 06:04:52 -0400 > Subject: RE: SSL Best Practices > > > > > -----Original Message----- > > From: cjder...@gmail.com [mailto:cjder...@gmail.com] On Behalf Of chris > > derham > > Sent: Tuesday, March 19, 2013 1:58 AM > > To: Tomcat Users List > > Subject: Re: SSL Best Practices > > > > > If the system is only for testing, or communicates with a limited > > > number of systems (i.e., it is a firewalled backend system that only > > > communicates with a front-end system), then again, a self-signed > > certificate would be fine. > > > > +1 > > > > > I do agree that if this is a public facing system, or one in an > > > organization with a large number of users that does not have its own > > > CA infrastructure, then a commercial certificate would be the best > > choice. > > > > Commercial certificate authorities are actively targeted by hackers, > > and when they are broken into, the trust each os has configured of such > > certificates can cause issues. The recent google ssl certificate issue > > shows what happens when things go wrong. If users will access the site > > via a browser, then the browser warning will confuse them/make them > > used to ignoring security warnings. For applications communicating with > > each other, a self signed certificate will actually be more secure than > > a certificate authority issued certificate - assuming you trust your > > internal security more than you trust that of a commercial certificate > > authority. It all depends on what the certificate will be used for. > > > > Chris > > > > What you say is all true, but if the public is accessing the site, > there is no real alternative to a commercial certificate, because there will > be no way to ascertain the trust of the site at all, and as you say users > will be > confused by the browser warnings. > > Unfortunately, the security of the Internet is dependent on a relatively > handful > of commercial certificate authorities, several of whom have either been > hacked, > or who have not properly vetted requesters for certificates. > > Jeffrey Harris > > This e-mail and any attachments are intended only for the use of the > addressee(s) named herein and may contain proprietary information. If you are > not the intended recipient of this e-mail or believe that you received this > email in error, please take immediate action to notify the sender of the > apparent error by reply e-mail; permanently delete the e-mail and any > attachments from your computer; and do not disseminate, distribute, use, or > copy this message and any attachments. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
