On Sun, Oct 14, 2012 at 5:59 AM, Daniel Farina <dan...@heroku.com> wrote: > On Sat, Oct 13, 2012 at 7:00 AM, Andrew Dunstan <and...@dunslane.net> wrote: >> Does Debian they create a self-signed certificate? If so, count me as >> unimpressed. I'd argue that's worse than doing nothing. Here's what the docs >> say (rightly) about such certificates: > > Debian will give you a self signed certificate by default. Protecting > against passive eavesdroppers is not an inconsiderable benefit to get > for "free", and definitely not a marginal attack technique: it's > probably the most common. > > For what they can possibly know about the end user, Debian has it right here.
There's a lot of shades of gray to that one. Way too many to say they're right *or* wrong, IMHO. It *does* make people think they have "full ssl security by default", which they *don't*.They do have partial protection, which helps in some (fairly common) scenarios. But if you compare it to the requirements that people *do* have when they use SSL, it usually *doesn't* protect them the whole way - but they get the illusion that it does. Sure, they'd have to read up on the details in order to get secure whether it's on by default or not - that's why I think it's hard to call it either right or wrong, but it's rather somewhere in between. They also enable things like encryption on all localhost connections. I consider that plain wrong, regardless. Though it provides for some easy "performance tuning" for consultants... -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
