Comments on: SSLFail is SSL Enabled http://www.sslfail.com/2009/02/sslfail-is-ssl-enabled/ 1.2.840.113549.1.1 Thu, 01 Jul 2010 03:13:58 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Tyler http://www.sslfail.com/2009/02/sslfail-is-ssl-enabled/comment-page-1/#comment-88 Tyler Fri, 27 Feb 2009 11:56:07 +0000 http://www.sslfail.com/?p=283#comment-88 Michael, I just said this on your other comment, but I'll repeat it here in case you don't see both... I figure the people wanting SSL wanted to bypass basic content filtering, meaning they only needed encryption not trust. I agree 100% that we shouldn't need SSL and for that reason I won't spend the money on a cert. That's why I provided the self signed cert, I haven't redirected HTTP to it, other than one link I'm not advertising it... it's there for the people that want it. As for the CA Cert... I will add an addendum to the post. Personally I see humor in a cert signed by SSLFail, one of the reasons I shared it (I honestly don't expect much of a non-technical readership on a blog like this), but that is indeed my bad. Tyler. Michael,

I just said this on your other comment, but I’ll repeat it here in case you don’t see both… I figure the people wanting SSL wanted to bypass basic content filtering, meaning they only needed encryption not trust.

I agree 100% that we shouldn’t need SSL and for that reason I won’t spend the money on a cert. That’s why I provided the self signed cert, I haven’t redirected HTTP to it, other than one link I’m not advertising it… it’s there for the people that want it.

As for the CA Cert… I will add an addendum to the post. Personally I see humor in a cert signed by SSLFail, one of the reasons I shared it (I honestly don’t expect much of a non-technical readership on a blog like this), but that is indeed my bad.

Tyler.

]]> By: Michael Coates http://www.sslfail.com/2009/02/sslfail-is-ssl-enabled/comment-page-1/#comment-82 Michael Coates Thu, 26 Feb 2009 16:13:54 +0000 http://www.sslfail.com/?p=283#comment-82 Since this site is dedicated to the secure use of SSL, I think this approach is worth a bit of discussion. First off, I don't see any reason for this site to need SSL. Not having SSL does not equal a problem. The need for SSL depends on whether the guarantees SSL provides are necessary - guarantees of integrity, confidentiality, reply prevention and end-point authentication. Since this site is intended for people to read provided information, I don't personally see a reason for SSL. Aside from that note, let's look at the practice of providing a certificate for download. The link above allows a user to download the certificate to prevent the browser's warning message of unknown issuer. Since the certificate is available of http, a MitM could just as easily switch the URL so it points to there cert which they've created for sslfail.com. So, providing a cert for download over http provides zero security. Now, to restate my original point. I bring this up only since this site is intended to discuss security of SSL and certificates. I really don't see any reason to use SSL for SSLfail.com. -Michael Since this site is dedicated to the secure use of SSL, I think this approach is worth a bit of discussion. First off, I don’t see any reason for this site to need SSL. Not having SSL does not equal a problem. The need for SSL depends on whether the guarantees SSL provides are necessary – guarantees of integrity, confidentiality, reply prevention and end-point authentication. Since this site is intended for people to read provided information, I don’t personally see a reason for SSL.

Aside from that note, let’s look at the practice of providing a certificate for download. The link above allows a user to download the certificate to prevent the browser’s warning message of unknown issuer. Since the certificate is available of http, a MitM could just as easily switch the URL so it points to there cert which they’ve created for sslfail.com. So, providing a cert for download over http provides zero security.

Now, to restate my original point. I bring this up only since this site is intended to discuss security of SSL and certificates. I really don’t see any reason to use SSL for SSLfail.com.

-Michael

]]>