Self-signed certificate.
Marc Haber
mh+nessus at zugschlus.de
Thu Dec 8 08:45:18 EST 2005
On Wed, Dec 07, 2005 at 11:43:24AM -0500, Jiang, Qinglin
<qjiang at verisign.com> wrote:
> I noticed that nessus doesn't produce a warning when there's a
> self-signed ssl certificate.
> Users will normally accept a self-signed certificate.
> In terms of security I wouldn't say that's a secure practice because
> it's subject to man-in-the-middle attack.
> For personal use it seems to be OK but for commercial purposes, it's
> bad.
For commercial purposes, it is ok if there is a path of trust between
the issuer of the self-signed certificate and myself. Actually, if I
verified a self-signed certificate myself, I trust that connection
_much_ more than one of one of the major certificate vendors who have
a history of sometimes sloppily verifying the identify of the
certificate requestor.
Greetings
Marc, not in the least surprised about this message after associating
the sender e-mail address with the message contents
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Nessus
mailing list