Date: Mon, 22 Jan 2001 02:57:25 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: "'Arcady Genkin'" <antipode@thpoon.com>, freebsd-questions@FreeBSD.ORG Subject: Re: imap and pop3 via stunnel (was: UW-IMAP server and secure authentication) Message-ID: <20010122025725.N10761@rfx-216-196-73-168.users.reflex> In-Reply-To: <011401c08456$55ae15e0$1401a8c0@tedm.placo.com>; from tedm@toybox.placo.com on Mon, Jan 22, 2001 at 01:33:09AM -0800 References: <20010121201750.D10761@rfx-216-196-73-168.users.reflex> <011401c08456$55ae15e0$1401a8c0@tedm.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 22, 2001 at 01:33:09AM -0800, Ted Mittelstaedt wrote:
>
> >-----Original Message-----
> >From: owner-freebsd-questions@FreeBSD.ORG
> >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Crist J. Clark
> >Sent: Sunday, January 21, 2001 8:18 PM
> >To: Arcady Genkin
> >Cc: freebsd-questions@FreeBSD.ORG
> >Subject: Re: imap and pop3 via stunnel (was: UW-IMAP server and secure
> >authentication)
> >
> >
> >On Sun, Jan 21, 2001 at 08:45:24PM -0500, Arcady Genkin wrote:
> >> "Crist J. Clark" <cjclark@reflexnet.net> writes:
> >>
> >> > I don't see why you can't use a self-signed cert. Provided you
> >> > distribute it securely ^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^
> >> > (relative to what you are
> >protecting and other
> >> > security measures), it is a fairly good solution.
> >>
> >> I basically want to disable any ways of connecting to my
> >computer with
> >> user names/passwords sent in clear text. What do you mean by
> >> "distribute it securely"?
> >
> >When you establish an SSL connection with someone new, you are
> >supposed to be able to trust that their cert is valid because it is
> >signed by a trusted third party. Something like a web browser comes
> >with certain signatures built in (people like VeriSign). You are
> >self-signing your certs. There is no trusted third party to check the
> >cert.
> >
> >You are vulnerable to a man-in-the-middle attack the first time you
> >connect. There is no way for your computer to know if the machine
>
> Your discounting the ability to transfer the key by other mechanisms.
No, I mentioned explicitly that secure channels do exist in my initial
response as pointed out above. But those methods are out-of-band and
not within the SSL protocol itself.
> In any case, there's nothing preventing anybody from setting up shop
> on the Internet and distributing signatures. People get all hung up
> on Verisign because they were smart enough to come in out of the rain
> and stick their sigs into the 2 major web browsers, but there's
> nothing preventing any other certificate authority from being used,
> provided that the key is transmitted securely.
Yes. I used Verisign as an example because everbody's heard of
them. Some others are,
BelSign
CertiSign
Digital Signature Trust
E-Certify
Entrust
GlobalSign
...
It's all moot since I did not think the original poster was actually
interested in getting a cert signed by a third party.
> Here's a thought, a CA can set itself up, get a Verisign certificate,
> then use it to bootstrap their own signatures into interested parties
> web browsers, than those users can go to other sites that are running
> certs signed by that CA.
I think anyone who paid to get signed by someone who distributes their
cert like that has been had. You are counting on users following bad
security practices to get these guys' certs in place. Well, if morons
are your target market, then that actually might be a good choice.
I count certs from 27 different signers in a freshly installed
Netscape browser. There are over 80 certs total. These include the
signers listed above plus other little joints like the USPS, AT&T,
IBM, etc. Verisign is not the only game in town. And frankly, I don't
really like the idea that my browser by default would trust all of
these guys.
> Frankly, in my opinion it's a damn shame that Verisign has been
> able to successfully propagandize most of the Internet into believing
> that they are the Only Way Truth and Light to secure data transmission
> on the Internet. It's tremendously retarded the growth and use of
> SSL on the Internet, in my opinion.
I really am unaware of a basis for such a claim. Are there scores
people who want to get a signed SSL cert and have been denied the
privilege? Security companies and other institutions who do this have
sprung out of the woodwork. The cool thing about selling a cert
signing service is that it takes very little actual work. Like you
point out, the real challenge and costs are in marketing and
branding.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010122025725.N10761>