On 18-Mar-07, at 12:45 AM, Randal T. Rioux wrote:
Tremaine Lea wrote:
Having said that, the BCSG *will* refuse self-signed certs and
expired
certs etc.
That is the stupidest thing I've ever heard. Honestly, a paid-for cert
is barely more trustworthy than a self-signed cert. The entire cert
system is broken by design, and benefits nobody but the money
collectors
at the major companies (VeriSign, Entrust, etc).
Can somebody convince me that my understanding is mistaken?
Thanks,
Randy
It's as stupid as IE7's handling of it really. Without a better
understanding of the certification process by the end user, the
benefits are certainly not as clear. Certainly it prevents MITM
issues during the https transaction, but that may be about it with
some exceptions. With IE7 it can certainly produce problems on an
internal network, at least initially. IE7 will actually refuse to
connect you with the site. Bluecoat at least provides you with the
opportunity to exclude a network from checks, like your own.
On the pros side of the fence, with a paid certificate such as those
through Verisign, the benefit over a self signed cert is a lot
clearer. Unfortunately there are companies that will hand you a cert
with very little in the way of verification which destroys the
usefulness of it. Self signed certs are useful in instances where
you trust the issuer to begin with, or in corporate networks. For a
small company trying to establish an ecommerce presence however, they
have not yet earned the trust or established themselves to the point
where jane and joe intertubes can (or should?) trust them.
Tremaine
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
