W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: AW: AW: AW: WebSocket API: close and error events

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 25 Oct 2011 21:59:47 +0000 (UTC)
To: Glenn Maynard <glenn@zewt.org>
cc: Tobias Oberstein <tobias.oberstein@tavendo.de>, Simon Pieters <simonp@opera.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.64.1110252157540.14432@ps20323.dreamhostps.com>
On Tue, 25 Oct 2011, Glenn Maynard wrote:
> On Tue, Oct 25, 2011 at 5:18 PM, Ian Hickson <ian@hixie.ch> wrote:
> > On Tue, 25 Oct 2011, Tobias Oberstein wrote:
> > >
> > > There are situations when self-signed certs are quite common like on 
> > > private networks or where self-signed certs might be "necessary", 
> > > like with a software appliance that auto-creates a self-signed cert 
> > > on first boot (and the user is too lazy / does not have own CA).
> >
> > A self-signed cert essentially provides you with no security. You 
> > might as well be not bothering with encryption.
> 
> This is complete nonsense.  Protecting against passive attacks is a 
> major, clear-cut win, even without protecting against active (MITM) 
> attacks.

That only makes sense if passive attack is significantly easier than 
active attack, which it is not.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 25 October 2011 22:04:11 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:48 GMT