On Tue, Sep 13, 2011 at 09:45:39AM -0500, Chris Adams wrote:
Once upon a time, Tei <oscar.vives@gmail.com> said:
He, I just want to self-sign my CERT's and remove the ugly warning that browsers shows.
SSL without some verification of the far end is useless, as a man-in-the-middle attack can create self-signed certs just as easily.
It protects against attacks where the attacker merely monitors the traffic between the two endpoints. As you suggest, it does not protect against MITM, but that's different from being useless. The value of protecting against the former but not the latter may vary by situation, but it's not always zero. Not all attackers/attacks that can sniff also have the capability and willingness to MITM. (And even SSL w/ endpoint verification isn't absolute security. For example, it doesn't protect against endpoint compromises. But that doesn't make it endpoint verification useless.) -- Brett