[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL certificates

Kai Hendry wrote:

>On Sun, Sep 19, 2004 at 08:03:17PM +0100, Andrew Suffield wrote:
>>appreciably secure, and users can't tell the difference anyway. This
>>doesn't matter because nobody attacks anything worthwhile by capturing
>>traffic. SSL is basically irrelevant on the modern internet [see
>>crypto-gram, earlier this year].
>After searching about I found:
>http://www.schneier.com/crypto-gram-0401.html Letter from John Viega
>Either I am opening a can of worms here or I am wasting time, but what
>am I or applications supposed to be using then?
>It is a myth that passwords in the plain is a bad idea? Aren't there
>tools in existence to detect ftp/telnet/insecure authentications?
>Does the "modern internet" mean we are packet switched to safety?
It is close enough for most things. There are services that do not
require SSL, and then there are some that SSL would be a good thing. For
example, things bugzilla does not need SSL (IMO :) as well as "shopping
carts". What you need SSL is for things like credit card processing or
login in into your remote box.

But then *I* do not need or want a third party to have a telnet
replacement. As for other services, well, do not provide access to them
from unencrypted traffic. Set up IPSec between your boxes. Self sign the
cert. and be done with it (you do trust yourself, don't you? :)

But if you need a "real" cert. (eg. credit card processing), then you
should be able to buy the cert since it is "only" ~$200.

>I have seen people create different passwords for different services,
>but I wanted every user to use the same password from PAM for every
>service my Debian box offers. Am I being too naive?
>Are there any other docs I have missed?
>Doesn't inspire.

see racoon (apt-get install racoon). It sets up IPSec. You should also
look for IPSec HOWTOs.

- Adam

PS. ssh tunnels are crap in comparison to IPSec since ssh goes over TCP.

Building your applications one byte at a time

Reply to: