SSL by default for all packaged web apps?
Etienne Goyer
etienne.goyer at canonical.com
Tue Mar 1 23:04:00 UTC 2011
On 11-03-01 05:20 PM, Marc Deslauriers wrote:
> On Tue, 2011-02-22 at 14:56 -0800, Clint Byrum wrote:
>> This bug was opened recently:
>>
>> https://bugs.launchpad.net/bugs/695857
>>
>> It suggests that packages should configure themselves to require SSL by
>> default.
>>
>> I think this is actually a good idea, and I am wondering how this would
>> be received by the greater community.
>>
>> I am marking the bug as "Opinion" and I'd like to get the opinions of
>> the server community as a whole on the issue. If enough people think its
>> a good idea we can open a blueprint for a future UDS.
>
> We should not turn on SSL by default with self-signed certificates. That
> is insecure and is not a configuration that should be encouraged.
There is two things there:
1. Encrypting communication between the client and the server (notably
to protect the credential exchange from eavesdropping).
2. Preventing MitM by authenticating the server.
Using SSL with self-signed certificate doesn't address 2., but it does
address 1. From my perspective, it's an incremental improvement over
plain-text HTTP. So, why not?
I have had that argument with a few people over the years. Fact is, at
least for non publicly facing web services, most people will continue to
use self-signed certificates for the simple reason that getting a
"valid" certificate (or setting up your own CA) is a huge hassle, and
not even always possible.
I would even go as far as arguing that trying to discourage people from
using self-signed certificate through systemic measure is a waste of
time, because most people just do not understand the implication.
Putting the cart before the horses and stuff.
--
Etienne Goyer
Technical Account Manager - Canonical Ltd
Ubuntu Certified Instructor - LPIC-3
~= Ubuntu: Linux for Human Beings =~
More information about the ubuntu-server
mailing list