Website Developers, Stop Scaring Away Your Potential Customers (SSL!)

[Nefario]

Just to chime in on this, everything EVERYTHING nafai has said about ssl is 100% correct.

Self signed certs are no less secure than signed. Signed certs only provide (a horribly low minimum) level of VERIFICATION that the person says who they are, nothing more (more expensive certs have higher standards).

Having an ssl auth cert allows the cert authority to issue other certs for your domain (to for example, governments) which would allow them (whoever they are) to MITM you. It also happens when hackers break into cert authorities systems and steal the private keys for the cert auth (this happened to Komodo).

I don't know if nafai is in the security business but I vouch for his understanding of ssl (and by extension other forms of encryption), pm me and tell me more about yourself.

As for everyone else, I've gotten ahold of a "proper" signed cert so it nolonger throw up warnings, you can relax now.

Nefario

[Rogue Star]

Just to chime in on this, everything EVERYTHING nafai has said about ssl is 100% correct.

I don't disagree with most of what you or nafai said. If SSL was JUST line encryption, I would accept encryption is better than no encryption. However, it is not, tying it to identity verification is unavoidable. As someone that tries to pay attention to the contents of self-signed certs I feel helpless verifying the identity behind it. I know self signing is "good enough" more than 99% of the time, but with these thing you need to be on top or you will run inevitably run into that less than 1% scenario at a really inconvenient time. I doubt many service providers would eat the cost in the rare case where one of their customers mistakenly accepts a spoofed self-signed cert and are taken advantage of.

I think it's disingenuous to say that signed SSL identity verification is worthless while also saying that the encryption provided by self-signed certs is good enough for production use. Show me one white paper that recommends choosing a self-signed cert over signed cert in a production environment as a best practice and I'll eat my hat. Yes someone could hack a cert authority and issue a valid cert for something spoofing your server. The point is they don't need to hack anything to impersonate a self-signed cert.

Anyway, glad to hear you started using a signed cert Nefario.

[casascius]

Man in the middle attacks don't have to be expensive or require lots of resources.  All it takes is an opportunity to modify your HOSTS file and put in fake IP addresses for all the banks, hoping you might visit one.  This happens and has been happening for years.  Also, think of all the opportunities to sniff clear text traffic... simply run a Tor exit node, or a VPN service, or a local ISP.  If self-signed certs were the norm and no PKI infrastructure were in place, no matter how poor, MITM and similar attacks would be widespread.

The suggestion that people should just accept self signed certs and to pay no attention to the warning because you know better is, to me, on the same level as suggesting people should accommodate someone with terrible body odor the same as anyone else, and ignore the smell because it is merely unpleasant rather than toxic.

[nafai]

If self-signed certs were the norm and no PKI infrastructure were in place, no matter how poor, MITM and similar attacks would be widespread.

But plaintext http, which is the norm now, is better?

[alfred]

Try...

https://glbse.com

now...

[nafai]

Oh noes there's a big X and a line through the https!  This must be a dangerous website!

[Rogue Star]

If self-signed certs were the norm and no PKI infrastructure were in place, no matter how poor, MITM and similar attacks would be widespread.

But plaintext http, which is the norm now, is better?

In some ways, plain text is better than a false sense of security, obviously in a pragmatic way it is not. But, why use half measures when the business case for rudimentary security is so easy? You've already done 90% of the work implementing SSL. You can get an entry level signed cert basically for free. One case of fraud due to MITM is going to cost more than a signed cert. You can always upgrade your cert level if there's a business case for it. It's a case of penny-wise, pound foolish. Don't cheap out when you are dealing with money that belongs to someone else. Certs should only be the first step.

@nefai i know you're being sarcastic, but that warning is coming from twitter. I wasn't getting that warning until I enabled that script

@alfred we know, this thread is not directed at glbse in any way any more, at least I hope it's not, they've taken a step. too bad the www subdomain throws a hissy fit, though Nefario could always just create a re-direct.