[Discuss] Delivering mail to folders

John Abreau jabr at blu.org
Mon Feb 1 19:59:42 EST 2016 

Apparently I've been doing it "wrong" all these years. I've always created
my own CA and signed my certificates with it, and I thought that's what the
term "self-signed" meant.

On Mon, Feb 1, 2016 at 5:50 PM, Edward Ned Harvey (blu) <blu at nedharvey.com>
wrote:

> > From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> > Behalf Of Tom Metro
> >
> > > Ever-so-slightly better than no encryption.
> >
> > Huh? We're talking about using a self-signed cert for IMAP access, right?
> >
> > Self-signed certs have all the same cryptographic benefits as a CA
> > signed cert, including having your client validate the cert, if you
> > install your own root cert on your clients.
> >
> > The only down-side to self-signed certs is the inconvenience of having
> > to install the root certs on your clients. This is why they aren't used
> > for public web sites.
>
> Creating a self-signed cert isn't the same thing as creating your own CA
> and installing the CA root as a trusted root on your clients. If you create
> your own CA and distribute your own CA root to all your clients - as you
> said - you'll get pretty good security (unless you screw something up). A
> self-signed cert is one which certifies itself. The client cannot follow
> any chain to a trusted root, so the client needs to either reject the cert,
> or prompt for user interaction (in which case, users almost invariably
> click "accept," and thus are easy to attack via MITM). If the user accepts
> the cert, some clients (such as firefox) have the option to do certificate
> pinning, so it won't prompt again when it sees the same self-signed cert,
> similar to the way ssh behaves when connecting to a new unrecognized server.
>
> But if you have a client that prompts you to accept a self-signed cert,
> and you accept it, and the client pins it, and at a later time the cert
> changes (MITM attack)... Does the client prompt you again? Openssh refuses
> to talk to a server with a pubkey different from the pinned key, as it
> should. But every SSL client I've ever seen (firefox, chrome, ie, etc) will
> prompt you again to accept the unrecognized cert, so even highly technical
> and reasonably alert people are still vulnerable to the MITM attack on a
> self-signed cert. ... As David in particularly would be, because he
> mentioned a checkbox for "ssl accept any certificate," and asked "is that a
> good option?"
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6

More information about the Discuss mailing list