[Dshield] Self-signed certificates (was: Re: ISP's That Ignore Abuse Reports)
security at admin.fulgan.com
Mon Jun 13 07:27:09 GMT 2005
I would like to remember you that using self-signed certificate and
private CAs for anything but internal use is bad(tm).
It is bad for the user because HTTP scanners can no longer check the
page for potential threats, it is bad for users because most navigator
behave differently when using an HTTPS connection and it is bad for
users because most of them are clueless enough to click "ok, let me
through anyway" on anything and encouraging them to follow that trend
is really, really not something anyone in his right security mind
Private CAs are worse because it has the potential for user to
permanently trust them and lower their security level even more, this
time more or less permanently.
In short: don't do this. Self-signed certs are ok if you have a way
to verify the thumbprint of the cert (that means: you have a secure
side channel). For anything else, they should be banned. Private CA
must never been seen outside the organization, period.
Sunday, June 12, 2005, 6:07:42 AM, you wrote:
More information about the list