SSL by default for all packaged web apps?

Etienne Goyer etienne.goyer at
Tue Mar 1 23:04:00 UTC 2011

On 11-03-01 05:20 PM, Marc Deslauriers wrote:
> On Tue, 2011-02-22 at 14:56 -0800, Clint Byrum wrote:
>> This bug was opened recently:
>> It suggests that packages should configure themselves to require SSL by
>> default.
>> I think this is actually a good idea, and I am wondering how this would
>> be received by the greater community.
>> I am marking the bug as "Opinion" and I'd like to get the opinions of
>> the server community as a whole on the issue. If enough people think its
>> a good idea we can open a blueprint for a future UDS.
> We should not turn on SSL by default with self-signed certificates. That
> is insecure and is not a configuration that should be encouraged.

There is two things there:

1. Encrypting communication between the client and the server (notably
to protect the credential exchange from eavesdropping).

2. Preventing MitM by authenticating the server.

Using SSL with self-signed certificate doesn't address 2., but it does
address 1.  From my perspective, it's an incremental improvement over
plain-text HTTP.  So, why not?

I have had that argument with a few people over the years.  Fact is, at
least for non publicly facing web services, most people will continue to
use self-signed certificates for the simple reason that getting a
"valid" certificate (or setting up your own CA) is a huge hassle, and
not even always possible.

I would even go as far as arguing that trying to discourage people from
using self-signed certificate through systemic measure is a waste of
time, because most people just do not understand the implication.
Putting the cart before the horses and stuff.

Etienne Goyer
Technical Account Manager - Canonical Ltd
Ubuntu Certified Instructor   -    LPIC-3

 ~= Ubuntu: Linux for Human Beings =~

More information about the ubuntu-server mailing list