Re: [users@httpd] Namebased Virtual Hosts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/17/06, Joshua Slive <joshua@xxxxxxxx> wrote:

On 10/17/06, Serge Dubrouski <sergeyfd@xxxxxxxxx> wrote:
> On 10/17/06, Joshua Slive <joshua@xxxxxxxx> wrote:
> > On 10/17/06, Gregor Schneider <rc46fi@xxxxxxxxxxxxxx> wrote:

> > > > And in addition, your second and third ssl sites are not going to work
> > > > properly.  You can only have one ssl site on each IP-address/port
> > > > combination because the SSL certificate is selected before the
> > > > hostname is known.
> > >
> > > Well, what  is going to happen  if I do specify more than one SSL-site per
> > > IP/port-pair? Do I just get the message that the cert is invalid (I could
> > > pretty much live with that)?
> >
> > Yes, you will have an invalid cert.  But note that SSL with an invalid
> > cert is no more secure than ordinary HTTP.  So this may be okay for
> > testing, but it doesn't provide any real security.
> >
> > Joshua.
> >
>
> Why?! Per my understanding the channel will be crypted anyway. Self
> signed certificate is invalid from the browser point of view as well,
> but it doesn't prevent crypting. Do I miss something?

The channel is encrypted, but you have no idea who encrypted it.  It
could, for example, be a "man in the middle" that puts himself on the
wire between you and server, decrypts the original content, stores it
for whatever nefarious purpose, and then re-encrypts it and sends it
to you.  Without a certificate that represents the server of origin,
you have no way of telling where it came from.  This attack is a
little more work than passively eavesdropping on a plain HTTP
connection, but it is very feasible.

Punchline: untrusted certificate = insecure connection

Joshua.



That's another story and all of this is true. But I wouldn't say that
"it is no more secure than ordinary HTTP". Anyway I've got what you
meant. Thanks.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux