SSL by default for all packaged web apps?

Soren Hansen soren at
Thu Mar 3 21:03:28 UTC 2011

2011/3/3 Neal McBurnett <neal at>:
> Contrasting this with STARTTLS might also be instructive, though of
> course there are big differences.  But last I checked (a while ago) a
> substantial amount of SMTP traffic was encrypted based on self-signed
> certificates because it was made pretty easy-to-do, though that was
> more likely to be used between servers than from an end user.

SMTP over SSL is incredibly odd. SMTP is a communication protocol used
between servers. It's unattended. There's no-one to verify the SSL cert
of the remote party manually, so it has to be done automatically. You
have two options: 1) Require CA validated certs, or 2) accept any SSL cert.

Because using self-signed certs is so incredibly pervasive option 1) would
basically render you unable to speak SMTP/SSL to anyone, and 2) which
is the default,
means MitM attacks are the easiest thing in the world, yet people seem
perfectly content with this.

Soren Hansen        |
Ubuntu Developer    |
OpenStack Developer |

More information about the ubuntu-server mailing list