[Dshield] Self-signed certificates (was: Re: ISP's That Ignore Abuse Reports)

Tony Earnshaw tonye at billy.demon.nl
Mon Jun 13 08:13:52 GMT 2005

man, 13.06.2005 kl. 09.27 skrev Stephane Grobety:

> I would like to remember you that using self-signed certificate and
> private CAs for anything but internal use is bad(tm).
> It is bad for the user because HTTP scanners can no longer check the
> page for potential threats, it is bad for users because most navigator
> behave differently when using an HTTPS connection and it is bad for
> users because most of them are clueless enough to click "ok, let me
> through anyway" on anything and encouraging them to follow that trend
> is really, really not something anyone in his right security mind
> wants.
> Private CAs are worse because it has the potential for user to
> permanently trust them and lower their security level even more, this
> time more or less permanently.
> In short: don't do this. Self-signed certs are ok  if you have a way
> to verify the thumbprint of the cert (that means: you have a secure
> side channel). For anything else, they should be banned. Private CA
> must never been seen outside the organization, period.

If that were sound advice, then 99% of all Internet MTAs aren't
following it, nor do many ISPs who demand a client certificate for
client MTA authorization.

I certainly don't follow it for opportunistic https, IMAPS and TLS
encryption to my site, where the clientele is purely members of my
site's organization, or where my MTA uses opportunistic encryption
purely for STARTTLS before SASL authorization. It would be otherwise if
I were running a public web server. 

I don't agree with OP's view of DNSBLs either, but that's an argument
I'm *not* going to get into.


mail: tonye at billy.demon.nl

More information about the list mailing list