[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

Reindl Harald h.reindl at thelounge.net
Sat Apr 19 07:40:07 UTC 2014



Am 19.04.2014 09:30, schrieb Stephan von Krawczynski:
> On Sat, 19 Apr 2014 09:22:07 +0200
> Reindl Harald <h.reindl at thelounge.net> wrote:
>> yes, but you seem not to understand hat "Heartbleed" is the moment
>> which you can use to say "now let us take SSL serious" in general
>> as well as other security topics because *now* you can point
>> somewehere and say "look manager, things happening in real"
> 
> Yes, but all he has to do is ask you if this problem would have arised if he
> had a "real cert" to know that your spending money would not have helped.

and then i would explain him: no but we don't waste additional time
because every customer makes a support call after we change the
self signed certificate and all mail-clients out there alerting

>>> 2) "real certs" issued from cert-dealers are no more safe than your
>>> self-signed was. In fact they add the risk of your cert-dealter being hacked
>>> and you don't know. _This has happened_ already for at least one cert-dealer.
>>> So there is no proof at all that it will not happen again and this time
>>> probably nobody will be informed, because the company is dead afterwards (just
>>> like diginotar). In fact the whole cert business is a big fake currently
>>
>> yes but you can't change that nor can i
> 
> So you say: "better fake security than no security"?

no - you need to understand that SSL has *two* goals

* encyrption
* authentication

encryption works independent of authentication
authentication is fucked up in general and broken by design
and because that it's not worth to waste time explain users
over and over how to accept the self-signed one while you
do a big harm with that: train monkeys to ignore warnings

but that does not change the main-goal: encryption

>>> 3) The whole SSL stuff can only be made secure by implementing methods to
>>> authorize self-signed certs yourself and the clients using it being able to
>>> check that. Every checking by external "authorities" is just an uncontrollable
>>> security hole.
>>
>> bulls**t because you can't do that if your mailusers are ordianary
>> customers and even if you get managed that they import your self
>> signed cert that *does not* change the fact that they get no alert
>> in case of a MITM attack presenting whatever certificate signed
>> from a CA all clients are trusting
>>
>> without certificate pinning you are lost in any case and with
>> certificate pinning you can avoid the inital warning nobody
>> of the ordinary users understands - so until you come with
>> a solution for certificate pinning on and endusers MUA better
>> don't explain things anybody knows
> 
> It does not matter if you can do something _now_ or not. The only way to
> improve a not working situation is to tell that it is not working (my way) and
> not to ignore it (your way)

it is working, it is working as good as it can and if you compare the
costs of 130 € for 3 years with support calls because self signed
certificates and do a *real harm* by train ordinary users to ignore
warnings just guess which way works

honestly if i connect to a server owned by a company coming
with a self-signed certificate without got told so before
i get alarmed that they may not be trustworthy because if they
save the little money for the cert i may assume they save money
on other important things too

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140419/dbcb5571/attachment.sig>


More information about the dovecot mailing list