[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Reindl Harald
h.reindl at thelounge.net
Sat Apr 19 08:58:39 UTC 2014
Am 19.04.2014 10:44, schrieb Stephan von Krawczynski:
> On Sat, 19 Apr 2014 10:20:39 +0200
> Reindl Harald <h.reindl at thelounge.net> wrote:
>
>> and where does it lead to trigger warnings all over the planet and train
>> people to ignore them? in case of a mailserver that's not a real big
>> problem because they amount of users is limited
>>
>> on a public website it is insane to present a browser warning as welcome message
>>
>> if there is a working replacement, widely supported by client-software
>> and useable or the ordinary enduser - fine - let us adopt it - until
>> that does not exist you are talking bullshit
>>
>> well, i have an offer for you:
>> you pay the support calls caused by certificate warnings, you pay also the
>> harm of other ignored warnings as result of train monkeys, you go out and
>> make *every* enduser to a tech person understand certificates and SSL before
>> and after that we all start to drop CA certificates
>>
>> deal?
>
> So you like market behaviour
no, but after more than 11 years working in the IT as software
developer and sysadmin building any admin backends, automation
tools and cms-systems at my own while dealing with the endusers
and their software i have learned which fights i can't win and
better spend my time to work on things gaining a result
> Don't you think that the market of client software will react
> faster if everybody is aware of the currently unsolved
> problems?
only in a perfect world
in the world i sadly live i had to turn SSL3 on again after a
complaint of big customer that one of his customers can't use
his shop with MSIE6 and is not willing to enable TLS in the
settings which is one click i did 13 years ago in times using
Windows, well now after Heartbleed and EOL of WiNXP now i had
the arguments to disable it forever -> done
in the world i sadly live i had recently a customer using a 10
years old Eudora mail-client on MacOSX which don't work with
SHA256 certificates - the reply to "please update your OS and
your mail-client, this one is unsupported and higly insecure"
was "but i was happy with it until *you* changed something"
> My word is: make them aware
mine too, but make aware and try to force end-users to understand
things are different worlds - you can't win the fight against
users ignorance, careless and their outdated software
> Your word is: safe money and give a damn
my word is safe time where it is wasted and use it to improve
things in areas where i can win a fight - fighting a lost battle
leads to nowehere and eats the time to improve other things
i spent hundrets of hours in security the last few years looking
at a big picture of all sort of network services and operating
systems to work as secure as possible with each other
if i would have wasted that time with lost battles i would have
gained nothing
> Lets stop it here, it is obvious we disagree and I guess people on the
> list have heard enough to take their own decisions
agreed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140419/20530d97/attachment-0001.sig>
More information about the dovecot
mailing list