You misunderstand the signing practice if you think this is a good idea. Granted, it provides a low level of encryption for clients but it does not provide Non-repudiability to those users, opening them up to MitM attacks.
Sent from my iPhone > On Mar 14, 2014, at 16:35, Guido Witmond <gu...@witmond.nl> wrote: > >> On 03/14/14 19:56, Julian Oliver wrote: >> ..on Fri, Mar 14, 2014 at 10:46:30AM -0700, Lucas Gonze wrote: >>> Let's say web servers auto generated self-signed certificates for any >>> domain that didn't supply its own certificate, likely one from an authority. >>> >>> What that would accomplish is to make the stream unreadable over the wire, >>> unless the attacker was willing and able to do an MITM with their own auto >>> generated self-signed certificate. >>> >>> It would not be hard to do that MITM, but it would be orders of magnitude >>> more expensive than copying unencrypted bytes off the router. It would not >>> be practical to do the MITM against a large portion of traffic. The >>> attacker would have to pick their targets. >> >>> >>> Thoughts? > >> >> It would be good if Debian and other popular GNU/Linux LAMP distributions >> made >> OpenSSL/TLS key generation (and set up of a VirtualHost template for :443) an >> encouraged option during an Apache installation (OpenSSL is a dependency >> anyway). It could be a simple walkthrough with Qs for CN and admin email, >> abstracting over the classic and ungainly: >> >> openssl req -new -x509 -days 365 -nodes -out >> /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key > > One could also automatically derive the DNSSEC-DANE TLSA record from > that server certificate and mail it to the sysadmin. Include a paragraph > that explains that by publishing that record, the site has stronger > protections against MitM-attacks than possible with CA-bought certificates. > > (the downside is that user need to install the Extended-DNSSEC-Validator > plug in). > > > > Regards, Guido. > > -- > Liberationtech is public & archives are searchable on Google. Violations of > list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > compa...@stanford.edu. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
