Microsoft deems all DigiNotar certificates untrustworthy, releases

Valdis.Kletnieks at Valdis.Kletnieks at
Tue Sep 13 15:03:15 UTC 2011

On Tue, 13 Sep 2011 16:29:30 +0200, Tei said:
> He, I just want to self-sign my CERT's and remove the ugly warning that
> browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I

The warning is there for a *reason* - namely that if you have a self-signed
cert, a first time visitor has *zero* way to verify it's *your* self-signed
cert and not some hijacker's self-signed cert.

> just don't want to use cleartext for internet data transfer.  HTTP is like
> telnet, and HTTPS is like ssh. But with ssh is just can connect, with
> browsers theres this ugly warning and "fuck you, self-signed certificate"
> from the browsers.  Please make the pain stop!.

If you use SSH to connect, and either ignore the "host key has changed" or
"authenticity can't be established, continue connecting?" messages, you get
what you deserve - those are the *exact* same issues that your browser warns
about self-signed certs.  And if you *don't* ignore them on SSH - why do you
want to ignore them on SSL?

Note that there's another big difference between SSH and SSL - the number of
people who are allowed to SSH to a given machine is (a) usually small and (b)
pre-identified up front.  So if Fred gets an "unknown host key" while SSH'ing
to the server you just set up, that's probably not a big issue because you
presumably know who Fred is and just created an account for him, so you can
supply him with the footprint of the SSH host key to double-verify.  That does
*not* scale to Internet-facing web services.

Of course, if you have a *private* *internal* webserver with limited users,
you're free to use a self-signed cert and use your browser's handy "Add
security exemption" dialog and check "Permanent".

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list