[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Stephan von Krawczynski
skraw at ithnet.com
Sat Apr 19 07:14:51 UTC 2014
On Fri, 18 Apr 2014 13:57:47 -0400
Charles Marcus <CMarcus at Media-Brokers.com> wrote:
> Hi all,
>
> Ok, been wanting to do this for a while, and I after the Heartbleed
> fiasco, the boss finally agreed to let me buy some real certs...
Well, I guess one has to tell you that:
1) No certs no matter if self-signed or not would have saved you from
heartbleed.
2) "real certs" issued from cert-dealers are no more safe than your
self-signed was. In fact they add the risk of your cert-dealter being hacked
and you don't know. _This has happened_ already for at least one cert-dealer.
So there is no proof at all that it will not happen again and this time
probably nobody will be informed, because the company is dead afterwards (just
like diginotar). In fact the whole cert business is a big fake currently.
3) The whole SSL stuff can only be made secure by implementing methods to
authorize self-signed certs yourself and the clients using it being able to
check that. Every checking by external "authorities" is just an uncontrollable
security hole.
--
Regards,
Stephan
More information about the dovecot
mailing list