[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

Charles Marcus CMarcus at Media-Brokers.com
Sat Apr 19 11:26:22 UTC 2014


Please Reply-To-List, don't send to me directly, I'm on the list.

On 4/19/2014 3:14 AM, Stephan von Krawczynski <skraw at ithnet.com> wrote:
> On Fri, 18 Apr 2014 13:57:47 -0400
> Charles Marcus <CMarcus at Media-Brokers.com> wrote:
>
>> Hi all,
>>
>> Ok, been wanting to do this for a while, and I after the Heartbleed
>> fiasco, the boss finally agreed to let me buy some real certs...
> Well, I guess one has to tell you that:
> 1) No certs no matter if self-signed or not would have saved you from
> heartbleed.

I know that. I simply leveraged the noise to convince the boss to buy 
some real certs.

And NO, I did not suggest that having real certs would have made us 
immune (in fact I told him it wouldn't), but the fiasco was a good time 
to bring the subject up again (I've been trying for years to get him to 
let me buy real certs to avoid the scary warnings).

> 2) "real certs" issued from cert-dealers are no more safe than your
> self-signed was.

I know this. I want 'real' certs so our users no longer the stupid big 
ugly scary warnings about untrusted certs when setting up mail clients.

> In fact they add the risk of your cert-dealter being hacked
> and you don't know. _This has happened_ already for at least one cert-dealer.
> So there is no proof at all that it will not happen again and this time
> probably nobody will be informed, because the company is dead afterwards (just
> like diginotar).

All true, but there is risk in everything.

>   In fact the whole cert business is a big fake currently.

In theory I agree, but the reality is different from theory.

> 3) The whole SSL stuff can only be made secure by implementing methods to
> authorize self-signed certs yourself and the clients using it being able to
> check that. Every checking by external "authorities" is just an uncontrollable
> security hole.

True, but running my own CA, and requiring users to follow complicated 
(for them) instructions oon how to install our own CA into all of their 
clients is simply not a viable option (for us).

-- 

Best regards,

Charles



More information about the dovecot mailing list