- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 25 Oct 2011 21:59:47 +0000 (UTC)
- To: Glenn Maynard <glenn@zewt.org>
- cc: Tobias Oberstein <tobias.oberstein@tavendo.de>, Simon Pieters <simonp@opera.com>, "public-webapps@w3.org" <public-webapps@w3.org>
On Tue, 25 Oct 2011, Glenn Maynard wrote: > On Tue, Oct 25, 2011 at 5:18 PM, Ian Hickson <ian@hixie.ch> wrote: > > On Tue, 25 Oct 2011, Tobias Oberstein wrote: > > > > > > There are situations when self-signed certs are quite common like on > > > private networks or where self-signed certs might be "necessary", > > > like with a software appliance that auto-creates a self-signed cert > > > on first boot (and the user is too lazy / does not have own CA). > > > > A self-signed cert essentially provides you with no security. You > > might as well be not bothering with encryption. > > This is complete nonsense. Protecting against passive attacks is a > major, clear-cut win, even without protecting against active (MITM) > attacks. That only makes sense if passive attack is significantly easier than active attack, which it is not. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 25 October 2011 22:04:11 UTC