Re: AW: AW: AW: WebSocket API: close and error events from Glenn Maynard on 2011-10-25 (public-webapps@w3.org from October to December 2011)

From: Glenn Maynard <glenn@zewt.org>
Date: Tue, 25 Oct 2011 17:34:26 -0400
To: Ian Hickson <ian@hixie.ch>
Cc: Tobias Oberstein <tobias.oberstein@tavendo.de>, Simon Pieters <simonp@opera.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <CABirCh-TQDd5FXp7aL9dk95eiY9cXi94ypHpZJh+9S6Vu5-hFQ@mail.gmail.com>

On Tue, Oct 25, 2011 at 5:18 PM, Ian Hickson <ian@hixie.ch> wrote:

> On Tue, 25 Oct 2011, Tobias Oberstein wrote:
> >
> > There are situations when self-signed certs are quite common like on
> > private networks or where self-signed certs might be "necessary", like
> > with a software appliance that auto-creates a self-signed cert on first
> > boot (and the user is too lazy / does not have own CA).
>
> A self-signed cert essentially provides you with no security. You might as
> well be not bothering with encryption.
>

This is complete nonsense.  Protecting against passive attacks is a major,
clear-cut win, even without protecting against active (MITM) attacks.

-- 
Glenn Maynard

Received on Tuesday, 25 October 2011 21:36:02 UTC