Gmail and SSL

Peter Kristolaitis alter3d at alter3d.ca
Sun Dec 30 02:41:35 UTC 2012


On 12/29/2012 7:41 PM, Mark - Syminet wrote:
> On Dec 14, 2012, at 7:52 AM, Peter Kristolaitis <alter3d at alter3d.ca> wrote:
>
>> On 12/14/2012 10:47 AM, Randy wrote:
>>> I don't have hundreds of dollars to get my ssl certificates signed
>> You can get single-host certificates issued for free from StartSSL, or for very cheaply (under $10) from low-cost providers like CheapSSL.com.  I've never had a problem having my StartSSL certs verified by anyone.
>>
>
> So I guess the question really, is this:
>
> Is it bad, therefore - to *force* every holder of a self-signed certificate - to transmit in the clear?
>

There are plenty of good reasons for self-signed certs -- people stuck 
running a Microsoft environment might find it might difficult without 
it, since it's a fundamental feature of Active Directory. ;)   Various 
F/OSS projects, like OpenVPN, generally recommend self-signed certs as a 
standard deployment scenario, because it actually provides an extra 
layer of security -- as the CA, you determine who gets a cert and who 
doesn't.   The difficulty you'll run into is defining "self-signed".   
If you generate your own CA and put the certs in your /etc/ssl 
directory, it's still "self-signed" (as in you're the one signing the 
end-use certs), the only difference is that your browser, etc, won't pop 
up a warning because it's now "trusted".

It's also important to not conflate "encryption" with "chain of trust 
validation".   There are good reasons to encrypt without really caring 
who you're talking to.  There are also good reasons to not necessarily 
trust an arbitrary list of CAs as provided by your SSL stack vendor and 
provide your own list, as mentioned above.

Two entirely separate issues, IMHO.

- Pete




More information about the NANOG mailing list