[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

Stephan von Krawczynski skraw at ithnet.com
Sat Apr 19 07:30:42 UTC 2014 

On Sat, 19 Apr 2014 09:22:07 +0200
Reindl Harald <h.reindl at thelounge.net> wrote:

> 
> 
> Am 19.04.2014 09:14, schrieb Stephan von Krawczynski:
> > On Fri, 18 Apr 2014 13:57:47 -0400
> > Charles Marcus <CMarcus at Media-Brokers.com> wrote:
> > 
> >> Hi all,
> >>
> >> Ok, been wanting to do this for a while, and I after the Heartbleed 
> >> fiasco, the boss finally agreed to let me buy some real certs...
> > 
> > Well, I guess one has to tell you that:
> > 1) No certs no matter if self-signed or not would have saved you from
> > heartbleed
> 
> yes, but you seem not to understand hat "Heartbleed" is the moment
> which you can use to say "now let us take SSL serious" in general
> as well as other security topics because *now* you can point
> somewehere and say "look manager, things happening in real"

Yes, but all he has to do is ask you if this problem would have arised if he
had a "real cert" to know that your spending money would not have helped.
 
> > 2) "real certs" issued from cert-dealers are no more safe than your
> > self-signed was. In fact they add the risk of your cert-dealter being hacked
> > and you don't know. _This has happened_ already for at least one cert-dealer.
> > So there is no proof at all that it will not happen again and this time
> > probably nobody will be informed, because the company is dead afterwards (just
> > like diginotar). In fact the whole cert business is a big fake currently
> 
> yes but you can't change that nor can i

So you say: "better fake security than no security" ?
 
> > 3) The whole SSL stuff can only be made secure by implementing methods to
> > authorize self-signed certs yourself and the clients using it being able to
> > check that. Every checking by external "authorities" is just an uncontrollable
> > security hole.
> 
> bulls**t because you can't do that if your mailusers are ordianary
> customers and even if you get managed that they import your self
> signed cert that *does not* change the fact that they get no alert
> in case of a MITM attack presenting whatever certificate signed
> from a CA all clients are trusting
> 
> without certificate pinning you are lost in any case and with
> certificate pinning you can avoid the inital warning nobody
> of the ordinary users understands - so until you come with
> a solution for certificate pinning on and endusers MUA better
> don't explain things anybody knows

It does not matter if you can do something _now_ or not. The only way to
improve a not working situation is to tell that it is not working (my way) and
not to ignore it (your way).

-- 
Regards,
Stephan

More information about the dovecot mailing list