Microsoft deems all DigiNotar certificates untrustworthy, releases

Brett Frankenberger rbf+nanog at panix.com
Tue Sep 13 09:58:55 CDT 2011


On Tue, Sep 13, 2011 at 09:45:39AM -0500, Chris Adams wrote:
> Once upon a time, Tei <oscar.vives at gmail.com> said:
> > He, I just want to self-sign my CERT's and remove the ugly warning that
> > browsers shows.
> 
> SSL without some verification of the far end is useless, as a
> man-in-the-middle attack can create self-signed certs just as easily.

It protects against attacks where the attacker merely monitors the
traffic between the two endpoints.

As you suggest, it does not protect against MITM, but that's different
from being useless.  

The value of protecting against the former but not the latter may vary
by situation, but it's not always zero.  Not all attackers/attacks that
can sniff also have the capability and willingness to MITM.

(And even SSL w/ endpoint verification isn't absolute security.  For
example, it doesn't protect against endpoint compromises.  But that
doesn't make it endpoint verification useless.)

     -- Brett



More information about the NANOG mailing list