Date: Mon, 22 Jan 2001 01:33:09 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: <cjclark@alum.mit.edu>, "'Arcady Genkin'" <antipode@thpoon.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: RE: imap and pop3 via stunnel (was: UW-IMAP server and secure authentication) Message-ID: <011401c08456$55ae15e0$1401a8c0@tedm.placo.com> In-Reply-To: <20010121201750.D10761@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Crist J. Clark >Sent: Sunday, January 21, 2001 8:18 PM >To: Arcady Genkin >Cc: freebsd-questions@FreeBSD.ORG >Subject: Re: imap and pop3 via stunnel (was: UW-IMAP server and secure >authentication) > > >On Sun, Jan 21, 2001 at 08:45:24PM -0500, Arcady Genkin wrote: >> "Crist J. Clark" <cjclark@reflexnet.net> writes: >> >> > I don't see why you can't use a self-signed cert. Provided you >> > distribute it securely (relative to what you are >protecting and other >> > security measures), it is a fairly good solution. >> >> I basically want to disable any ways of connecting to my >computer with >> user names/passwords sent in clear text. What do you mean by >> "distribute it securely"? > >When you establish an SSL connection with someone new, you are >supposed to be able to trust that their cert is valid because it is >signed by a trusted third party. Something like a web browser comes >with certain signatures built in (people like VeriSign). You are >self-signing your certs. There is no trusted third party to check the >cert. > >You are vulnerable to a man-in-the-middle attack the first time you >connect. There is no way for your computer to know if the machine Your discounting the ability to transfer the key by other mechanisms. In any case, there's nothing preventing anybody from setting up shop on the Internet and distributing signatures. People get all hung up on Verisign because they were smart enough to come in out of the rain and stick their sigs into the 2 major web browsers, but there's nothing preventing any other certificate authority from being used, provided that the key is transmitted securely. Here's a thought, a CA can set itself up, get a Verisign certificate, then use it to bootstrap their own signatures into interested parties web browsers, than those users can go to other sites that are running certs signed by that CA. Frankly, in my opinion it's a damn shame that Verisign has been able to successfully propagandize most of the Internet into believing that they are the Only Way Truth and Light to secure data transmission on the Internet. It's tremendously retarded the growth and use of SSL on the Internet, in my opinion. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011401c08456$55ae15e0$1401a8c0>