On 10/17/06, Serge Dubrouski <sergeyfd@xxxxxxxxx> wrote:
On 10/17/06, Joshua Slive <joshua@xxxxxxxx> wrote: > On 10/17/06, Gregor Schneider <rc46fi@xxxxxxxxxxxxxx> wrote:
> > > And in addition, your second and third ssl sites are not going to work > > > properly. You can only have one ssl site on each IP-address/port > > > combination because the SSL certificate is selected before the > > > hostname is known. > > > > Well, what is going to happen if I do specify more than one SSL-site per > > IP/port-pair? Do I just get the message that the cert is invalid (I could > > pretty much live with that)? > > Yes, you will have an invalid cert. But note that SSL with an invalid > cert is no more secure than ordinary HTTP. So this may be okay for > testing, but it doesn't provide any real security. > > Joshua. > Why?! Per my understanding the channel will be crypted anyway. Self signed certificate is invalid from the browser point of view as well, but it doesn't prevent crypting. Do I miss something?
The channel is encrypted, but you have no idea who encrypted it. It could, for example, be a "man in the middle" that puts himself on the wire between you and server, decrypts the original content, stores it for whatever nefarious purpose, and then re-encrypts it and sends it to you. Without a certificate that represents the server of origin, you have no way of telling where it came from. This attack is a little more work than passively eavesdropping on a plain HTTP connection, but it is very feasible. Punchline: untrusted certificate = insecure connection Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|