[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Reindl Harald
h.reindl at thelounge.net
Sat Apr 19 07:22:07 UTC 2014
Am 19.04.2014 09:14, schrieb Stephan von Krawczynski:
> On Fri, 18 Apr 2014 13:57:47 -0400
> Charles Marcus <CMarcus at Media-Brokers.com> wrote:
>
>> Hi all,
>>
>> Ok, been wanting to do this for a while, and I after the Heartbleed
>> fiasco, the boss finally agreed to let me buy some real certs...
>
> Well, I guess one has to tell you that:
> 1) No certs no matter if self-signed or not would have saved you from
> heartbleed
yes, but you seem not to understand hat "Heartbleed" is the moment
which you can use to say "now let us take SSL serious" in general
as well as other security topics because *now* you can point
somewehere and say "look manager, things happening in real"
> 2) "real certs" issued from cert-dealers are no more safe than your
> self-signed was. In fact they add the risk of your cert-dealter being hacked
> and you don't know. _This has happened_ already for at least one cert-dealer.
> So there is no proof at all that it will not happen again and this time
> probably nobody will be informed, because the company is dead afterwards (just
> like diginotar). In fact the whole cert business is a big fake currently
yes but you can't change that nor can i
> 3) The whole SSL stuff can only be made secure by implementing methods to
> authorize self-signed certs yourself and the clients using it being able to
> check that. Every checking by external "authorities" is just an uncontrollable
> security hole.
bulls**t because you can't do that if your mailusers are ordianary
customers and even if you get managed that they import your self
signed cert that *does not* change the fact that they get no alert
in case of a MITM attack presenting whatever certificate signed
from a CA all clients are trusting
without certificate pinning you are lost in any case and with
certificate pinning you can avoid the inital warning nobody
of the ordinary users understands - so until you come with
a solution for certificate pinning on and endusers MUA better
don't explain things anybody knows
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140419/98d8acf3/attachment.sig>
More information about the dovecot
mailing list