SSL by default for all packaged web apps?

Wed Mar 2 15:24:49 UTC 2011

On Wed, 2011-03-02 at 17:05 +0200, Clint Byrum wrote:
> On Wed, 2011-03-02 at 08:45 -0500, Marc Deslauriers wrote:
> > On Wed, 2011-03-02 at 08:23 +0000, Hakan Koseoglu wrote:
> > > Forcing a naive system administrator to think about SSL & certificates
> > > is at least something useful. Of course there should be abilities to
> > > opt-out where SSL is not required. On the other hand, it's like saying
> > > "on secured networks SSH is not required, telnet is all you need" and
> > > I'm sure all of us would look at that sentence and mutter "insanity!".
> > 
> > Please don't compare using password-protected SSH with using self-signed
> > certificates. Using passwords instead of certificates with SSH has no
> > impact on it's effectiveness against MITM attacks. Of course it's better
> > then Telnet.
> > 
> > It is trivial to MITM self-signed certs, thereby countering any security
> > advantage by adding SSL. Of course, I assume that people who are
> > clicking Accept in their browser aren't validating the SSL cert
> > fingerprint, as technical SSH users are instructed to do.
> > 
> 
> I think you're trivializing a decent analogy, though I agree its not
> entirely the same. However, SSH carries the same fingerprint
> verification problem that makes MITM just as simple on the first
> connection. Most browser users will save the certificate and be warned
> if it changes, just like the SSH user will be warned.
> 
> The main difference is that ssh would generally be used by a more
> conscientious user than a browser user.
> 

I totally agree.

If web ssl self-signed certs were only for sysadmins who would know to
validate the fingerprint and suspect something is wrong when they get a
new browser warning, there would be a big advantage to turning it on.

Unfortunately, that's not the case, and it's why you can't deploy
self-signed certs to end users and expect any level of security.

Marc.