Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I disagree. SSL is meant to do 2 things: prove identity and provide encryption. Self-signed certificates do just the latter. While, yes, they might provide a false sense of security in that they can't prevent MITM attacks, at least you're not sending out data in the open.


Ever since the first released version SSLv2, http://www.mozilla.org/projects/security/pki/nss/ssl/draft02... it has had the stated goal of defending against MitM attack.

Still, if protection from completely passive eavesdropping is all you care about, you can use anonymous Diffie-Hellman to negotiate an ephemeral key. The protocol supports it. Heck a lot of home-grown client software doesn't even check the name on the cert and ends up with effectively just that by accident.

Feel free to add your own self-signed exceptions. I find it useful myself.

But that's not what HTTPS is and it's not how web browsers work. By definition, the lock icon in the user's browser means that the server (as displayed in the URL) has been authenticated to the user.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: