-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Martin,
On 3/19/13 7:34 AM, Martin Gainty wrote: > 1)Have you ever tried to coerce IE to accept a self-signed cert This is a trust issue, not a security issue. They are related, but not equivalent. > 2)if you purchase a pfx with a self-signed certificate sold to you > by chris_is_a_hacker.com for 1.00 then who do you think can break > it I'm not sure what a PFX is, but the certificate itself is as strong as the key used to create it. If you generate a 1-bit key, you'll be hacked in 0 minutes. But nobody does that: we all create 4096-bit keys which, theoretically, can't be broken even by a well-funded adversary with unreasonably-limited computing power before the sun gets tired of shining. > The cert allows browser to contact the sites SSL connector..by > presenting credentials usually from a Name Server such as ADS or > LDAP Woah, your algorithm has started to bring-in random bits of search results from the Internet. Time to re-set your learning tree and start again. > the real work involves breaking the algorithm implemented by the > key Yup. Good luck with RSA and friends. > in order to establish Key exchange on a SSLv2 transport Anyone using SSLv2 is vulnerable, which is why it's no longer used. For a long time, now. > I sincerely doubt even chris_is_a-hacker can break any of the RSA > algorithms implemented by the key inside a versign.pfx While true, it's also true of your own self-signature. Verisign uses a 2048-bit key to sign everything. Most sites these days use 4096-bit keys (at least those I configure, apache.org, etc.). (Oddly enough, Facebook uses a 1024-bit key.) If you create a server cert with a 4096-bit key, you are creating a fairly secure certificate no matter who signs it. And, if you sign it yourself and keep the key secure (which is kind of impossible unless you are using a different key for signing than you do for the server's key) then you are doing better than any CA out there. Again, the CA is only there to provide a trusted 3rd-party: they have nothing to do with the security of the connection, the hackability of the server, etc. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlFIe4cACgkQ9CaO5/Lv0PBlOQCbBMGVp6wcP9aBJUunxWXNzmNz YRAAnjrY4vSZSX8KlE7mER287II6l6w9 =ADG9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
