SSL by default for all packaged web apps?
marc.deslauriers at canonical.com
Tue Mar 1 23:39:24 UTC 2011
On Tue, 2011-03-01 at 18:04 -0500, Etienne Goyer wrote:
> > We should not turn on SSL by default with self-signed certificates. That
> > is insecure and is not a configuration that should be encouraged.
> There is two things there:
> 1. Encrypting communication between the client and the server (notably
> to protect the credential exchange from eavesdropping).
> 2. Preventing MitM by authenticating the server.
> Using SSL with self-signed certificate doesn't address 2., but it does
> address 1. From my perspective, it's an incremental improvement over
> plain-text HTTP. So, why not?
I'm not quite sure under which circumstance 1 would be a problem but 2
would not. When you're on a trusted network? If you're on a trusted
network, you probably don't need SSL in the first place.
The problem here is that turning it on by default will instill a false
sense of security into people's minds. You are telling them that it's
acceptable to bypass the important warnings and to click the "OK" button
in Firefox when they connect the first time. You are showing them the
lock icon in Firefox indicating to them that they're on a secure
connection, when in fact, that's not the case...
> I have had that argument with a few people over the years. Fact is, at
> least for non publicly facing web services, most people will continue to
> use self-signed certificates for the simple reason that getting a
> "valid" certificate (or setting up your own CA) is a huge hassle, and
> not even always possible.
They are trading off security to save $50 and 30 minutes of work.
Unless, of course, you are getting every single user to manually
validate the fingerprint every time they click that Accept button.
> I would even go as far as arguing that trying to discourage people from
> using self-signed certificate through systemic measure is a waste of
> time, because most people just do not understand the implication.
> Putting the cart before the horses and stuff.
Setting up an insecure SSL connection by default, and giving them the
impression of being encrypted properly is security theatre. This isn't
something we should be recommending, or doing by default. If someone
decides that self-signed certificates are "good enough" for them, they
should set it up themselves and face the consequences.
More information about the ubuntu-server