|
||||||||||
So unless you have a real purchased SLL cert (Thawte) or you have a server acting as a enterprise CA on your network, there really is no advantage to using a custom SLL cert, over the in built HTTPS function? Chris Buechler wrote: >On 11/25/05, Mark Wass <mark dot wass at market dash analyst dot com> wrote: > > >>Thanks for the reply. >> >>I thought when you use HTTPS that it made use of encryption, why would I >>use a SSL cert if I'm using HTTPS? >> >> >> > >There is always a SSL cert when using HTTPS (it's what makes the >encryption possible). Defining a custom cert, for one example, can >allow you to put in a certificate signed by a enterprise CA that your >machines trust already. This would be to avoid the annoying "is this >certificate ok" prompts from web browsers, and it makes it much easier >to detect MITM attacks against SSL from the likes of sslmitm, et. al. >Ideally you would use trusted certs for all HTTPS across your network, >and if that certificate warning message ever pops up, your users >should be trained to be suspicious. > >You can also use it to use a "real" cert bought from a trusted CA >(like Verisign and others), which will achieve the same results as >above, without having to install and manage your own CA. > >-Chris > >--------------------------------------------------------------------- >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > > |