[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Pan-users] gnutls error: hostname does not match server name
From: |
Duncan |
Subject: |
Re: [Pan-users] gnutls error: hostname does not match server name |
Date: |
Thu, 3 May 2012 01:04:04 +0000 (UTC) |
User-agent: |
Pan/0.136 (I'm far too busy being delicious; GIT 187e40f /st/portage/src/egit-src/pan2) |
walt posted on Wed, 02 May 2012 11:44:08 -0700 as excerpted:
> I see that both of my (very low-budget) news providers use self-signed
> certs anyway, so there is no protection from MITM possible in any case.
> (Cheap is cheap ;)
That's not exactly true. As long as you either get the correct cert on
the first connect (trusted first connect or get the cert via other
channel, say via a secure web page that DOES have a properly signed
cert... which is possible if they're actually doing financial
transactions via that secure connection, many folks are careful enough
not to do financial transactions over self-signed, at least), as long as
that cert doesn't change, you can continue to trust it and it's as MitM-
proof as any signed cert at the same encryption level, self-signed or not.
Of course, if the first connection is compromised, or if either you or
your client doesn't bother to check for consistency of cert after the
first connection, /then/ someone could MitM it, but the idea is the same
as with SSH, you gotta trust the channel you first get the cert with, but
after that, you're protected as long as you're verifying that it's the
same one each time.
Actually, in that regard a self-signed is often more secure than a
certified signing authority signed cert. Because most setups, browsers
included, accept any properly signed certificate for the site and do NOT
track changes, if for instance Iran hacks a signing authority and grants
its own now signed certs for a site (as you're well aware if you follow
such things, this actually happened, well, they're /reasonably/ sure it
was Iran, it was SOMEONE using inappropriately certified certs), your
browser won't let you know when the change, because they're all properly
signed. But if the site uses self-signed certs and you accept the valid
one, if it changes, at least to another self-signed, you'll normally get
the usual warnings all over again, and can act accordingly.
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
Re: [Pan-users] gnutls error: hostname does not match server name, Heinrich Müller, 2012/05/02