Re: [Pan-users] gnutls error: hostname does not match server name

pan-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Pan-users] gnutls error: hostname does not match server name

From:	Duncan
Subject:	Re: [Pan-users] gnutls error: hostname does not match server name
Date:	Thu, 3 May 2012 01:04:04 +0000 (UTC)
User-agent:	Pan/0.136 (I'm far too busy being delicious; GIT 187e40f /st/portage/src/egit-src/pan2)

walt posted on Wed, 02 May 2012 11:44:08 -0700 as excerpted:

> I see that both of my (very low-budget) news providers use self-signed
> certs anyway, so there is no protection from MITM possible in any case.
> (Cheap is cheap ;)

That's not exactly true.  As long as you either get the correct cert on 
the first connect (trusted first connect or get the cert via other 
channel, say via a secure web page that DOES have a properly signed 
cert... which is possible if they're actually doing financial 
transactions via that secure connection, many folks are careful enough 
not to do financial transactions over self-signed, at least), as long as 
that cert doesn't change, you can continue to trust it and it's as MitM-
proof as any signed cert at the same encryption level, self-signed or not.

Of course, if the first connection is compromised, or if either you or 
your client doesn't bother to check for consistency of cert after the 
first connection, /then/ someone could MitM it, but the idea is the same 
as with SSH, you gotta trust the channel you first get the cert with, but 
after that, you're protected as long as you're verifying that it's the 
same one each time.

Actually, in that regard a self-signed is often more secure than a 
certified signing authority signed cert.  Because most setups, browsers 
included, accept any properly signed certificate for the site and do NOT 
track changes, if for instance Iran hacks a signing authority and grants 
its own now signed certs for a site (as you're well aware if you follow 
such things, this actually happened, well, they're /reasonably/ sure it 
was Iran, it was SOMEONE using inappropriately certified certs), your 
browser won't let you know when the change, because they're all properly 
signed.  But if the site uses self-signed certs and you accept the valid 
one, if it changes, at least to another self-signed, you'll normally get 
the usual warnings all over again, and can act accordingly.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

[Prev in Thread]

Current Thread

[Next in Thread]

[Pan-users] gnutls error: hostname does not match server name, walt, 2012/05/01
- Re: [Pan-users] gnutls error: hostname does not match server name, Duncan, 2012/05/02
  - Re: [Pan-users] gnutls error: hostname does not match server name, walt, 2012/05/02
    - Re: [Pan-users] gnutls error: hostname does not match server name, Duncan <=
    - Re: [Pan-users] gnutls error: hostname does not match server name, walt, 2012/05/03
    - Re: [Pan-users] gnutls error: hostname does not match server name, Duncan, 2012/05/03
    - Re: [Pan-users] gnutls error: hostname does not match server name, Heinrich Müller, 2012/05/03
- Re: [Pan-users] gnutls error: hostname does not match server name, Heinrich Müller, 2012/05/02

Prev by Date: Re: [Pan-users] gnutls error: hostname does not match server name
Next by Date: Re: [Pan-users] gnutls error: hostname does not match server name
Previous by thread: Re: [Pan-users] gnutls error: hostname does not match server name
Next by thread: Re: [Pan-users] gnutls error: hostname does not match server name
Index(es):
- Date
- Thread