[Info-vax] [OT] Zero trust software, was: Re: Rethinking DECNET ?
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Sep 3 11:51:51 EDT 2014
On 2014-09-03 15:34:30 +0000, JF Mezei said:
> On 14-09-03 08:38, Bill Gunshannon wrote:
>
>> My private certificates provide much more security because I can be
>> certain I haven't given them to any third parties.
>
> But you have no defence against a malicious site redirecting DNS to
> their site and using their own self signed certificate to impersonate
> your site fully.
If the initial self-signed root certificate load is loaded and
correctly trusted and/or if the self-signed leaf certificate is loaded
using a trusted path, you're secure.
> When your certificate is "registered" with an authority, there is
> confidence that when someone does https://www.chocolate.com , they will
> get to YOUR site and if someone tried to hijack your site, browsers
> will warn the end user that the certificate presented by the "new" site
> is invalid.
If you're running an ecommerce site and have no control over the clients, sure.
If you're doing what Bill is likely doing here and what other folks are
definitely doing with self-signed certificates, Bill is correct.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list