Gmail and SSL
alter3d at alter3d.ca
Sun Dec 30 02:41:35 UTC 2012
On 12/29/2012 7:41 PM, Mark - Syminet wrote:
> On Dec 14, 2012, at 7:52 AM, Peter Kristolaitis <alter3d at alter3d.ca> wrote:
>> On 12/14/2012 10:47 AM, Randy wrote:
>>> I don't have hundreds of dollars to get my ssl certificates signed
>> You can get single-host certificates issued for free from StartSSL, or for very cheaply (under $10) from low-cost providers like CheapSSL.com. I've never had a problem having my StartSSL certs verified by anyone.
> So I guess the question really, is this:
> Is it bad, therefore - to *force* every holder of a self-signed certificate - to transmit in the clear?
There are plenty of good reasons for self-signed certs -- people stuck
running a Microsoft environment might find it might difficult without
it, since it's a fundamental feature of Active Directory. ;) Various
F/OSS projects, like OpenVPN, generally recommend self-signed certs as a
standard deployment scenario, because it actually provides an extra
layer of security -- as the CA, you determine who gets a cert and who
doesn't. The difficulty you'll run into is defining "self-signed".
If you generate your own CA and put the certs in your /etc/ssl
directory, it's still "self-signed" (as in you're the one signing the
end-use certs), the only difference is that your browser, etc, won't pop
up a warning because it's now "trusted".
It's also important to not conflate "encryption" with "chain of trust
validation". There are good reasons to encrypt without really caring
who you're talking to. There are also good reasons to not necessarily
trust an arbitrary list of CAs as provided by your SSL stack vendor and
provide your own list, as mentioned above.
Two entirely separate issues, IMHO.
More information about the NANOG