[Dshield] Self-signed certificates (was: Re: ISP's That Ignore Abuse Reports)

Stephane Grobety security at admin.fulgan.com
Mon Jun 13 07:27:09 GMT 2005


Hello everyone.

I would like to remember you that using self-signed certificate and
private CAs for anything but internal use is bad(tm).

It is bad for the user because HTTP scanners can no longer check the
page for potential threats, it is bad for users because most navigator
behave differently when using an HTTPS connection and it is bad for
users because most of them are clueless enough to click "ok, let me
through anyway" on anything and encouraging them to follow that trend
is really, really not something anyone in his right security mind
wants.

Private CAs are worse because it has the potential for user to
permanently trust them and lower their security level even more, this
time more or less permanently.

In short: don't do this. Self-signed certs are ok  if you have a way
to verify the thumbprint of the cert (that means: you have a secure
side channel). For anything else, they should be banned. Private CA
must never been seen outside the organization, period.

Good luck,
Stephane

Sunday, June 12, 2005, 6:07:42 AM, you wrote:



j> https://atr2.ath.cx/~jayjwa/abusive-abuse-lists.html






More information about the list mailing list