Re: [users@httpd] SSL And Virtual Hosts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

For most serious applications of SSL, not really...

Imagine you went to buy a book at Amazon and when you clicked on "checkout", you got a warning saying, "we're having a problem with our server and so you might get a browser warning about site name not matching certificate. Don't worry, just carry on and type in your credit card number anyway..." - would you?

I guess if you have a limited application where the server holds the confidential data and the clients are just browsing it and there's no conceivable risk of anyone impersonating the server to serve up false data, then maybe it would be enough. But if the clients have anything confidential to submit, you really need authentication as much as encryption - put it another way, if you send your money off in an armoured car, you'd better make sure the driver really goes to the bank.
The most we're talking about here is a username/password for forums/ftp/webmail. I definitely don't have the infrastructure in place for any serious e-commerce sites, nor would I want that kind of responsibility placed on my home business at this stage.
I'm curious, though, about your cautionary statements. In what way could this setup potentially be abused? Assume that the only people who use any SSL-encrypted services on my secondary domains are fully aware of my primary domain and know that I am the one handling their hosting. Thus, when they receive a warning message about their certificate, they'd see my name and know it's OK. Is there a way for a 3rd party to abuse this and hijack their data?
The only thing I can think of is if someone messed with their DNS so that they go to another server pretending to be me. But, even with authentication, the only way to truly prevent that would be to use "trusted" certs, which cost, what, $200? (something I don't have at the moment) As long as I'm self-signing, anyone can self-sign and pretend to be me. 


Regards,
David P. Donahue
ddonahue@xxxxxxxxxxx
http://www.cyber0ne.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux