19 Apr
2014
19 Apr
'14
10:14 a.m.
On Fri, 18 Apr 2014 13:57:47 -0400 Charles Marcus CMarcus@Media-Brokers.com wrote:
Hi all,
Ok, been wanting to do this for a while, and I after the Heartbleed fiasco, the boss finally agreed to let me buy some real certs...
Well, I guess one has to tell you that: probably nobody will be informed, because the company is dead afterwards (just
- No certs no matter if self-signed or not would have saved you from heartbleed.
- "real certs" issued from cert-dealers are no more safe than your self-signed was. In fact they add the risk of your cert-dealter being hacked and you don't know. _This has happened_ already for at least one cert-dealer. So there is no proof at all that it will not happen again and this time
like diginotar). In fact the whole cert business is a big fake currently. 3) The whole SSL stuff can only be made secure by implementing methods to authorize self-signed certs yourself and the clients using it being able to check that. Every checking by external "authorities" is just an uncontrollable security hole.
-- Regards, Stephan