SSL by default for all packaged web apps?
Clint Byrum
clint at ubuntu.com
Wed Mar 2 15:05:04 UTC 2011
On Wed, 2011-03-02 at 08:45 -0500, Marc Deslauriers wrote:
> On Wed, 2011-03-02 at 08:23 +0000, Hakan Koseoglu wrote:
> > Forcing a naive system administrator to think about SSL & certificates
> > is at least something useful. Of course there should be abilities to
> > opt-out where SSL is not required. On the other hand, it's like saying
> > "on secured networks SSH is not required, telnet is all you need" and
> > I'm sure all of us would look at that sentence and mutter "insanity!".
>
> Please don't compare using password-protected SSH with using self-signed
> certificates. Using passwords instead of certificates with SSH has no
> impact on it's effectiveness against MITM attacks. Of course it's better
> then Telnet.
>
> It is trivial to MITM self-signed certs, thereby countering any security
> advantage by adding SSL. Of course, I assume that people who are
> clicking Accept in their browser aren't validating the SSL cert
> fingerprint, as technical SSH users are instructed to do.
>
I think you're trivializing a decent analogy, though I agree its not
entirely the same. However, SSH carries the same fingerprint
verification problem that makes MITM just as simple on the first
connection. Most browser users will save the certificate and be warned
if it changes, just like the SSH user will be warned.
The main difference is that ssh would generally be used by a more
conscientious user than a browser user.
More information about the ubuntu-server
mailing list