On 7/25/06, SithLord <apache-mail@xxxxxxxxx> wrote:
On Tuesday 25 July 2006 03:18, Joshua Slive wrote: > First, SSL without a valid certificate trusted by the client is not > any safer than plain-text in the end. A "man-in-the-middle" could sit > on the wire, provide your clients with a bogus certificate, and > decrypt all the traffic on the way back and forth to the server. > Since your clients are used to hitting "ignore" on the certificate > error warnings, they would be none-the-wiser. You're absolutely right but I don't have any "clients". These services are not for public use. This isn't a production service available to real clients/customers. I have some services at home I like/need to have available from outside. Moreover, there is nothing absolutely critical and most of these services could be available through plain HTTP. Remember that I talked about a "poor's man" HTTPS virtual hosting, nothing related to production use.
Why do you want to use HTTPS? So that your communications with these services can't be intercepted? Well, if you don't have proper certificates, you aren't getting that benefit, so you might as well just use HTTP. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|