[Novalug] Displaying Clean Web Pages

Peter Larsen plarsen at famlarsen.homelinux.com
Fri Dec 4 13:38:55 EST 2009 

On Fri, 2009-12-04 at 12:07 -0500, Theodore Ruegsegger wrote:

> Peter Larsen wrote:
> > Btw. how come that quite a few of the "secure" OpenSource sites out there
> > use bad/expired SSL certs? Doesn't that defeat the purpose to begin with? I
> > tend to want to not accept bad certs but I find myself having to do exactly
> > that more often than not.
> 
> Half a loaf is better than none. SSL encrypts the traffic, which is a
> good thing. A cert authenticates the site, another good thing. To use
> SSL (https) at all, whether authentication is important or not, you
> need a cert. Certs from a CA cost money, a self-signed one doesn't.


I fail to see the value of encryption without the validation? To me
they're both required if I'm supposed to send sensitive information over
the wire. If the site only worries about login credentials, that can be
solved better without the use and implementation of SSL.

As FOSS projects goes, you'll find cost for a CA signed cert to be
minute or even non-existing (see link below). My point is, that unless
you fully implement it, why implement it at all?


> If you need to protect the traffic, https with a self-signed cert is
> still better than plain http.


Why? If I'm "protecting" my data but sending it to the bad-guys anyway,
what have I won by encryption?


> If the risk of a man-in-the-middle attack is significant (that is, if
> the traffic could compromise valuable assets attractive to bad guys),
> the cost of a CA cert is worth it.



It's a lot more than "man in the middle". DNS hijacks or distribution of
tampered code is just some of the major examples of why validating the
sender is important. 


> Expired certs? You got me there. Inattentive maintenance? Funds short?

http://www.earthtimes.org/articles/show/thawte-to-offer-free-ssl,1028851.shtml


There's good deals for most open source projects out there. Good deals
as in "free as in beer" deals. So cost shouldn't be a factor for those
kinds of projects. 

-- 

Best Regards
  Peter Larsen

Wise words of the day:
Make it idiot-proof, and someone will breed a better idiot.
	-- Oliver Elphick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://calypso.tux.org/pipermail/novalug/attachments/20091204/ae5651ac/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
Url : http://calypso.tux.org/pipermail/novalug/attachments/20091204/ae5651ac/attachment.bin

More information about the Novalug mailing list