On 10/17/06, Joshua Slive <joshua@xxxxxxxx> wrote:
On 10/17/06, Serge Dubrouski <sergeyfd@xxxxxxxxx> wrote: > On 10/17/06, Joshua Slive <joshua@xxxxxxxx> wrote: > > On 10/17/06, Gregor Schneider <rc46fi@xxxxxxxxxxxxxx> wrote: > > > > And in addition, your second and third ssl sites are not going to work > > > > properly. You can only have one ssl site on each IP-address/port > > > > combination because the SSL certificate is selected before the > > > > hostname is known. > > > > > > Well, what is going to happen if I do specify more than one SSL-site per > > > IP/port-pair? Do I just get the message that the cert is invalid (I could > > > pretty much live with that)? > > > > Yes, you will have an invalid cert. But note that SSL with an invalid > > cert is no more secure than ordinary HTTP. So this may be okay for > > testing, but it doesn't provide any real security. > > > > Joshua. > > > > Why?! Per my understanding the channel will be crypted anyway. Self > signed certificate is invalid from the browser point of view as well, > but it doesn't prevent crypting. Do I miss something? The channel is encrypted, but you have no idea who encrypted it. It could, for example, be a "man in the middle" that puts himself on the wire between you and server, decrypts the original content,
Tell me how would you do that without server's private key????? It doesn't matter who issued the certficate, encryption is always the same, based on a server's private key. So you have to steal it first.
stores it for whatever nefarious purpose, and then re-encrypts it and sends it to you.
Again where do you get the right private key to encrypt data?
Without a certificate that represents the server of origin, you have no way of telling where it came from. This attack is a little more work than passively eavesdropping on a plain HTTP connection, but it is very feasible.
The real problem with self signed certificates is that they don't guarantee that company A to which certificate was issued to us really company A and not something else. CA has to check all data that is put into certificate before issuing it. But on other hand browser now always contact CAs to verify certificates. Is OCSP enabled in your browser by default? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|