Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] SSH Issues



Stephen J. Turnbull wrote:
> Curt Sampson writes:
>  > Stephen J. Turnbull wrote:
>  > 
>  > > But no, HTTPS is *not* analogous to DNSSEC.  It serves many purposes
>  > > without need of authentication or prior communication of any kind.
>  > 
>  > No, it does not serve those purposes, though there's a very common
>  > illusion out there that it does. There are MITM attacks in the wild
>  > based around exactly the common idea that you still have encryption
>  > without authentication.
>
> So what?  I mentioned how those attacks work in my reply to the OP,
> and obviously they apply to HTTPS, too.  I didn't say HTTPS with
> self-cert works for *all* purposes (for example, my bank had better
> authenticate as well as encrypt).  But I really don't worry that
> somebody's going to go to that much trouble to borrow my Slashdot
> password and post derogatory comments about you or President-elect
> Obama.

I guess the question is whether it is worth using SSL at all in
situations where self signed certificates are used.  If you considering
that a standard SSL certificate cost about $20 a year, and just running
SSL requires significantly more system resources the benefits of running
a non-authenticated server seem pretty minimal.

Edward


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links