SSL by default for all packaged web apps?
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Mar 2 13:45:24 UTC 2011
On Wed, 2011-03-02 at 08:23 +0000, Hakan Koseoglu wrote:
> Hi Clint,
>
> On 22 February 2011 22:56, Clint Byrum <clint at fewbar.com> wrote:
> > This bug was opened recently:
> >
> > https://bugs.launchpad.net/bugs/695857
> >
> > It suggests that packages should configure themselves to require SSL by
> > default.
> >
> > I think this is actually a good idea, and I am wondering how this would
> > be received by the greater community.
> +1. It's a starting point.
>
> A good sample is SSH. You are not supposed to use password
> authenticated based SSH and only use passphrase protected distributed
> keys but hey, it's way better than Telnet in all cases!
>
> Forcing a naive system administrator to think about SSL & certificates
> is at least something useful. Of course there should be abilities to
> opt-out where SSL is not required. On the other hand, it's like saying
> "on secured networks SSH is not required, telnet is all you need" and
> I'm sure all of us would look at that sentence and mutter "insanity!".
Please don't compare using password-protected SSH with using self-signed
certificates. Using passwords instead of certificates with SSH has no
impact on it's effectiveness against MITM attacks. Of course it's better
then Telnet.
It is trivial to MITM self-signed certs, thereby countering any security
advantage by adding SSL. Of course, I assume that people who are
clicking Accept in their browser aren't validating the SSL cert
fingerprint, as technical SSH users are instructed to do.
Marc.
More information about the ubuntu-server
mailing list