[Freedombox-discuss] Debian as though cryptographic authentication mattered Questions
Melvin Carvalho
melvincarvalho at gmail.com
Fri Aug 5 20:24:00 UTC 2011
On 5 August 2011 22:07, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On 08/05/2011 04:01 PM, Melvin Carvalho wrote:
>
>> In general it would be fair to say WebiD has a dependency on DNS but
>> so does email email. In both systems there are cases where you can
>> work without DNS.
>>
>> Unsure of the supposed dependency of the CA Cartel, given that
>> certificates are self signed. Perhaps I'm missing something, tho.
>
> Barring a functional DNSSEC+DANE implementation (which no one seems to
> have running in the real world yet to my knowledge), there is a
> dependency on the CA Cartel to verify the certificates of the web
> servers involved.
>
> I'm assuming, of course, that the web servers use HTTPS; otherwise, a
> network attacker could simply hijack the connections to the server directly.
DNSSEC/DANE would be nice for the future, but it's not the only
solution, right now.
You can self sign web server certs. This is what I do.
In fact I think the apache2 conf in debian comes with such an SSL
setup out of the box.
Of course some browsers may throw a warning that you can click
through, but there's options even in that case, such to use the
perspectives project
http://perspectives-project.org/
Another option is use the CA cartel to get a free cert, if you prefer.
This works
http://www.startssl.com/?app=1
>
> --dkg
>
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
>
More information about the Freedombox-discuss
mailing list