But then, you're better up setting upyour own CA between your clients and servers.
Viele Grüsse, -Marcel Waldvogel (kurz&bündig) > Am 05.05.2016 um 07:09 schrieb DannyD <[email protected]>: > > They absolutely do. If you construct your own chain (qualified answer: > strong crypto, valid fields, proper chaining) , from end-to-end with only > certs that you trust and control, you're 100%. > > Hard is getting client (with only pinned cert) and server (with only pinned > cert) combo deployed where you need. > > Recommend this book: > http://www.amazon.com/gp/aw/d/1907117040/ref=mp_s_a_1_1?qid=1462424910&sr=8-1&pi=SY200_QL40&keywords=bulletproof+tls&dpPl=1&dpID=41QGf5IVA3L&ref=plSrch > > Delivered by drones... > >> On May 4, 2016 9:53 PM, "Marcel Waldvogel" >> <[email protected]> wrote: >> But then again, these days, self-signed certs have no advantage over >> CA-signed certs. >> >> Viele Grüsse, >> -Marcel Waldvogel >> (kurz&bündig) >> >>> Am 04.05.2016 um 16:05 schrieb Dave Cridland <[email protected]>: >>> >>> >>> >>>> On 3 May 2016 at 19:10, Tomasz Sterna <[email protected]> wrote: >>>> W dniu 03.05.2016, wto o godzinie 09∶40 -0700, użytkownik >>>> [email protected] napisał: >>>> > I suspect you wouldn't want s2s to use a self signed cert, so >>>> > allowing two level of verification (c2s and s2s) sounds complex. You >>>> > fix one thing in software and you break something else. >>>> >>>> So, why would you allow self-signed on C2S? >>>> >>>> Why do you want to use encryption in the first place? >>>> So, no one is able to read the conversation, right? >>>> But self-signed cert does not give you this... Just a false illusion >>>> that you are protected from evesdropping. >>>> But self-signed does not protect you from man-in-the-middle attack, so >>>> basically still anyone able to tap the wire your transmission is going >>>> through is able to read it, with just slightly more effort. >>> >>> I used to agree with you, but I've changed my mind over the years - it >>> turns out that because it forces an attacker to switch from passive >>> eavesdropping to active MITM, this is a blocker for the majority of >>> attackers, especially opportunistic or mass-surveillance actors. >>> >>> So a self-signed cert is better than no cert at all (even if you want >>> something independently verifiable ideally). >>> >>>> >>>> > I noticed the online documentation doesn't completely match the xml, >>>> > but there are enough comments in the xml that I could get close to >>>> > setting it up. It is just the certs that are confusing. >>>> >>>> Yeah. The real and up to date source of documentation are the comments >>>> in the configuration files. >>>> >>>> >>>> -- >>>> /o__ >>>> (_<^' Practice is the best of all instructors. >>>> >>>> >>>> _______________________________________________ >>>> JDev mailing list >>>> Info: http://mail.jabber.org/mailman/listinfo/jdev >>>> Unsubscribe: [email protected] >>>> _______________________________________________ >>> >>> _______________________________________________ >>> JDev mailing list >>> Info: http://mail.jabber.org/mailman/listinfo/jdev >>> Unsubscribe: [email protected] >>> _______________________________________________ >> >> _______________________________________________ >> JDev mailing list >> Info: http://mail.jabber.org/mailman/listinfo/jdev >> Unsubscribe: [email protected] >> _______________________________________________ > _______________________________________________ > JDev mailing list > Info: http://mail.jabber.org/mailman/listinfo/jdev > Unsubscribe: [email protected] > _______________________________________________
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
