On Wednesday, April 6, 2011, 19:21:03, Simon Martin wrote: > 1.- Certify endpoints. For this there must be an unbroken certificate > chain from a trusted CA down through 0 or more intermediate > certificates to the end certificate that is being used. For this > purpose Vilius is right, self-signed certificates are no use.
> 2.- Secure communications channel. The communication is opaque to all > but the 2 endpoints that are communicating. When you perform > IMAP/POP3/SMTP authentication you are sending your login details, you > definitely don't what people to read that, and you might not want them > to read the mail contents either. For this purpose self-signed > certificates are perfectly OK. 2 without 1 is useless - if you don't know the certificate of the other endpoint, anybody could substitute his own certificate, decrypt the traffic from both sides and encrypt it with his own certificate - and you wouldn't know a thing, since you'd still get the same warning as always (this is a man-in-the-middle attack). However, if you have some way to obtain the public key of the certificate, you can trust that public key, and then MITM attack would become immediately apparent, since you'd get warned about an untrusted certificate, when you know you trust the server's actual certificate. -- < Jernej Simončič ><><><><>< http://eternallybored.org/ > [ The Bat! 5.0.8 on Windows 7 6.1.7601.Service Pack 1 ] Never needlessly disturb a thing at rest. -- Randolph's Cardinal Principle of Statecraft ________________________________________________________ Current beta is 5.0.6.1 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
