[thelist] SSL Certificate Choices

Ken Schaefer Ken at adOpenStatic.com
Mon Jan 28 18:33:04 CST 2008



-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Mark Groen
Sent: Tuesday, 29 January 2008 12:26 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] SSL Certificate Choices

On January 27, 2008 5:18:57 pm Ken Schaefer wrote:
> > .........So, no security hole per se.
>
> Exactly, no security hole. Except we are not counting on users to be not
> phished etc. but as far as the connection is concerned you're okay.

You are quoting me out of context.

There is no security hole because it doesn't work as was originally claimed.

> Except we are not counting on users to be not
> phished etc.

PKI is for one-way or mutual authentication of hosts, not just for encrypting data. By using a system of mutual trust users can avoid *being phished* as well.

There is definitely an issue of trusting random root CAs. What happens if you are being phished? Or someone has poisoned the DNS? Or someone compromises your CA and issues their own certificates? And so on, and so on.

Managing a PKI isn't a trivial exercise. Maybe you can do this for your own internal infrastructure (I know I do at home), but for public facing websites, most people are better off sourcing something from one of the major vendors. $50/year shouldn't be too much for most sites, and for large e-commerce sites, what's $500 or even more per year? It costs that much to have a single support engineer for <1 day.

Cheers
Ken



More information about the thelist mailing list