[jdev] TLS and self-signed certs
Justin Karneges
justin-keyword-jabber.093179 at affinix.com
Thu Nov 11 19:06:01 CST 2004
While JD's comments sum this up nicely, I just want to reiterate loudly that
self-signed certificates alone truly are worthless. I'm not even talking
about man in the middle attacks either. As a form of identity, a self-signed
cert is as effective as the "From:" header in good old SMTP, and this would
allow spammers to get right in and start faking domains.
TLS + dialback is an intriguing idea. It wouldn't impress the security mafia
one bit, but at least you wouldn't open the door to spammers.
-Justin
On Thursday 11 November 2004 04:49 pm, JD Conley wrote:
> Allowing self signed (or otherwise untrusted) certs with STARTTLS +
> EXTERNAL is opening yourself up for a serious security breach. Using it
> with stream:features over dialback would give you encryption with a self
> signed cert and trust through the DNS system. STARTTLS + Dialback
> offers some level of trust along with encryption without having to worry
> about the complexities of a certificate chain.
>
> So, I agree, with both of you. :) We have implemented STARTTLS +
> EXTERNAL for S2S in SoapBox Server and allow administrators to choose
> the level of trust they require. I assume if the community gets behind
> it we'll implement STARTTLS + dialback as well.
>
> JD
>
> > -----Original Message-----
> > From: Peter Saint-Andre [mailto:stpeter at jabber.org]
> > Sent: Thursday, November 11, 2004 4:05 PM
> > To: jdev at jabber.org
> > Subject: [jdev] TLS and self-signed certs
> >
> > http://web.amessage.info/news/article/2981 asserts that one cannot use
> > self-signed certs with TLS for securing XMPP streams. I don't think
> > that's true, since we took that into account when writing RFC3920.
> >
> > Also, I am working with the folks from CAcert.org on building
>
> JabberIDs
>
> > (for any kind of Jabber entity) into CAcert-issued certificates.
> >
> > Peter
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mail.jabber.org/mailman/listinfo/jdev
More information about the JDev
mailing list