On Sat, 19 Apr 2014 09:22:07 +0200 Reindl Harald <h.rei...@thelounge.net> wrote:
> > > Am 19.04.2014 09:14, schrieb Stephan von Krawczynski: > > On Fri, 18 Apr 2014 13:57:47 -0400 > > Charles Marcus <cmar...@media-brokers.com> wrote: > > > >> Hi all, > >> > >> Ok, been wanting to do this for a while, and I after the Heartbleed > >> fiasco, the boss finally agreed to let me buy some real certs... > > > > Well, I guess one has to tell you that: > > 1) No certs no matter if self-signed or not would have saved you from > > heartbleed > > yes, but you seem not to understand hat "Heartbleed" is the moment > which you can use to say "now let us take SSL serious" in general > as well as other security topics because *now* you can point > somewehere and say "look manager, things happening in real" Yes, but all he has to do is ask you if this problem would have arised if he had a "real cert" to know that your spending money would not have helped. > > 2) "real certs" issued from cert-dealers are no more safe than your > > self-signed was. In fact they add the risk of your cert-dealter being hacked > > and you don't know. _This has happened_ already for at least one > > cert-dealer. > > So there is no proof at all that it will not happen again and this time > > probably nobody will be informed, because the company is dead afterwards > > (just > > like diginotar). In fact the whole cert business is a big fake currently > > yes but you can't change that nor can i So you say: "better fake security than no security" ? > > 3) The whole SSL stuff can only be made secure by implementing methods to > > authorize self-signed certs yourself and the clients using it being able to > > check that. Every checking by external "authorities" is just an > > uncontrollable > > security hole. > > bulls**t because you can't do that if your mailusers are ordianary > customers and even if you get managed that they import your self > signed cert that *does not* change the fact that they get no alert > in case of a MITM attack presenting whatever certificate signed > from a CA all clients are trusting > > without certificate pinning you are lost in any case and with > certificate pinning you can avoid the inital warning nobody > of the ordinary users understands - so until you come with > a solution for certificate pinning on and endusers MUA better > don't explain things anybody knows It does not matter if you can do something _now_ or not. The only way to improve a not working situation is to tell that it is not working (my way) and not to ignore it (your way). -- Regards, Stephan