On Sat, Jan 16, 2010 at 17:59:32 +0100, Vadkan Jozsef <jozsi.avadkan@xxxxxxxxx> wrote: > what does a self-signed outdated ssl cert worth? [https] > > could it be tricked [https] in a way, that the end user will not > recognize? [e.g. he already accepted the cert one time, and the browser > would warn her, if it been ""attacked""?] > > ..I mean does an outdated self-signed certificate give the same security > as a normal cert? Using https even with certs that don't provide identity assurance, still makes eavesdropping harder (relative to using unencrypted http). Instead of a passive attack, you need to do an active man in the middle attack. Also note that every top level certificate is self signed. What makes some special to most people is that they are delivered with browsers and don't generate warnings by default. This may or may not be a useful thing depending on what you expect them to be doing for you. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
