Problem with site certificate

CLIFFORD ILKAY clifford_ilkay at
Tue Dec 2 23:12:30 UTC 2008

Res wrote:
> On Tue, 2 Dec 2008, Sambit Bikas Pal wrote:
>> authenticity of the trader. Otherwise it completely spoils the purpose
>> of having an encrypted connection. Any malicious third party can claim
> You're sort of correct, it defeats the purpose of having a verified 
> connection, the encryption is fine if on a local server for say a CRM 
> portal to prevent snooping, besides a lot of people are not prepared to 
> pay the exrtive rates some of the previously mentioned services want to 
> charge.
>> to be someone else, issue a self certificate and pose as the original
>> trader, thereby fooling the customer. This is a typical example of
>> man-in-the-middle attack. So inform your bank about this issue.
> True, and I'd expect a bank of all places to use a trusted signer, not 
> like they cant afford it.

It is a debatable point how much one can really trust these "trusted"
certificate authorities. The "web of trust" model that PGP uses, for
example, is probably more trustworthy than a central CA that does very
little about verifying the identity of the applicant. I recall someone
who had nothing to do with managed to purchase a
commercial certificate a few years ago just to prove that it could be
done. I have to wonder how many sites out there with "legitimate"
certificates are really bogus but we don't really want to think of that,
do we? Of course if you can manage to subvert DNS, all bets are off anyway.

Clifford Ilkay
1419-3266 Yonge St.
Toronto, ON
Canada  M4N 3P6

+1 416-410-3326
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3273 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the ubuntu-users mailing list