[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL certificates

On Sun, Sep 19, 2004 at 08:03:17PM +0100, Andrew Suffield wrote:
> > certificate. A thrustworthy CA does all kind of background checks in order 
>                  ^^^^^^^^^^^^
> > to assure that he's giving a certificate to the correct person/company (not 
> > somebody trying to suplant them) and to check that the certificate is being 
> > handled correctly so that it is not that easy to be lost.
> So very appropriate.
> The extant CAs aren't appreciably trustworthy, nor are they
> appreciably secure, and users can't tell the difference anyway. This

I was not actually thinking in my previous answer about the common CAs 
(Verising, Thawte, ValiCert, Entrust...) bundled with most software [1]. I 
was thinking on internal-use CAs, for example, a company's CA, which can 
serve quite well in closed environments (a single organisation) through a 
PKI environment.

> doesn't matter because nobody attacks anything worthwhile by capturing
> traffic. SSL is basically irrelevant on the modern internet [see
> crypto-gram, earlier this year].

Well, interception and sniffing attacks (i.e. dsniff) cannot be made in a
large scale, so that's why trojan horses, phishing attacks and direct
database theft are much more common. Not that SSL would prevent
interception attacks, since most people will blindly say yes to the "Accept
this certificate" prompt they are show when shown a certificate that is
different from their bank.

However, I do believe PKI has a place in controlled environments, where 
users can at least be educated and their systems can be preconfigured to 
avoid presenting those "Do you agree?" prompts.



[1] The ones that show up when you do in Mozilla Preferences -> Privacy & 
Security -> Certificates -> Manage Certificates -> Authorities

Attachment: signature.asc
Description: Digital signature

Reply to: