|
|
@@ -4,7 +4,7 @@
|
|
4
|
4
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
|
|
5
|
5
|
<head>
|
|
6
|
6
|
<title></title>
|
|
7
|
|
-<!-- 2014-10-28 Tue 21:50 -->
|
|
|
7
|
+<!-- 2014-10-28 Tue 22:10 -->
|
|
8
|
8
|
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
|
|
9
|
9
|
<meta name="generator" content="Org-mode" />
|
|
10
|
10
|
<meta name="author" content="Bob Mottram" />
|
|
|
@@ -463,15 +463,15 @@ Now visit your web site at <a href="https://mydomainname.com/">https://mydomainn
|
|
463
|
463
|
<h2 id="unnumbered-5">Why use self-signed certificates?</h2>
|
|
464
|
464
|
<div class="outline-text-2" id="text-unnumbered-5">
|
|
465
|
465
|
<p>
|
|
466
|
|
-Almost everywhere on the web you will read that self-signed certificates are worthless. They bring up scary looking browser warnings and gurus will advise you not to use them. Self-signed certificates are quite useful though. What the scary warnings mean - and it would be good if they explained this more clearly - is that you have an encrypted connection established but there is <i>no certainty about who that connection is with</i>. The usual solution to this is to get a "real" SSL certificate from one of the certificate authorities, but it's far from clear that such authorities can be trusted. There have been various scandals involving such organisations, and it does not seem plausible to assume that they are somehow immune to the sort of treatment which <a href="http://en.wikipedia.org/wiki/Lavabit">Lavabit</a> encountered. So although most internet users have been trained to look for the lock icon as an indication that the connection is secured that belief may not always be well founded.
|
|
|
466
|
+Almost everywhere on the web you will read that self-signed certificates are worthless. They bring up scary looking browser warnings and gurus will advise you not to use them. Self-signed certificates are quite useful though. What the scary warnings mean - and it would be good if they explained this more clearly - is that you have an encrypted connection established but there is <i>no certainty about who that connection is with</i>. The usual solution to this is to get a "real" SSL certificate from one of the certificate authorities, but it's far from clear that such authorities can be trusted. There have been various scandals involving such organisations, and it does not seem plausible to assume that they are somehow immune to the sort of treatment which <a href="http://en.wikipedia.org/wiki/Lavabit">Lavabit</a> received. So although most internet users have been trained to look for the lock icon as an indication that the connection is secured that belief may not always be well founded.
|
|
467
|
467
|
</p>
|
|
468
|
468
|
|
|
469
|
469
|
<p>
|
|
470
|
|
-Security of web sites on the internet is still a somewhat unsolved problem, and what we have now is a less than ideal but <i>good enough to fool most of the people most of the time</i> kind of arrangement. Long term a better solution might be to have a number of certificate authorities in a number of different jurisdictions vote on whether a given certificate actually belongs to a given domain name. Experimental systems like this exist, but they're not widely used. Since the current certificate system has an enormous amount of inertia behind it change could be slow in arrival.
|
|
|
470
|
+Security of web sites on the internet is still a somewhat unsolved problem, and what we have now is a less than ideal but <i>good enough to fool most of the people most of the time</i> kind of arrangement. Long term a better solution might be to have a number of certificate authorities in a number of different jurisdictions vote on whether a given certificate actually belongs to a given domain name. Experimental systems like this exist, but they're not widely used. Since the current certificate system has an enormous amount of inertia behind it change could be slow in arriving.
|
|
471
|
471
|
</p>
|
|
472
|
472
|
|
|
473
|
473
|
<p>
|
|
474
|
|
-For now a self-signed certificate will probably in most cases protect your communications from passive surveillance. Once you've got past the scary browser warning and accepted the certificate under most conditions (except when using the Tor browser) you should not repeatedly see that warning. If you do then someone may be trying to meddle with your connection to the server. You can also take a note of the fingerprint of the certificate and check that if you are especially concerned. If the fingerprint remains the same then you're probably ok.
|
|
|
474
|
+For now a self-signed certificate will probably in most cases protect your communications from "bulk" passive surveillance. Once you've got past the scary browser warning and accepted the certificate under most conditions (except when starting up the Tor browser) you should not repeatedly see that warning. If you do then someone may be trying to meddle with your connection to the server. You can also take a note of the fingerprint of the certificate and verify that if you are especially concerned. If the fingerprint remains the same then you're probably ok.
|
|
475
|
475
|
</p>
|
|
476
|
476
|
</div>
|
|
477
|
477
|
</div>
|
Bob Mottram
10 年前