Chris Adams <cmadams@xxxxxxxxxx> writes: > HTTPS with an unknown self-signed cert is barely any more secure than > unencrypted HTTP, since a man-in-the-middle attack could just be > replacing the cert and decrypting all communications. It is a shame that there isn't a simple documented way to add other CA's to Firefox's approved list or some system global way to add CA's for all programs looking for pki certs. I for one don't really trust external CA's for access to my computers since I don't know their verification policy. For all I know one of them can be tricked into handing out a *.wsrcc.com certificate. I feel much more secure knowing that anyone signing with my CA first has to get hold of the signing key and then decrypt it. As for the man-in-the-middle attack, I'd imagine the biggest usage case is an eavesdropped-in-the-middle and not someone that was able to break the data stream and insert themselves. Having an encrypted channel with a slightly nebulous endpoint is still better than having an unencrypted channel. -wolfgang -- Wolfgang S. Rupprecht Android 1.5 (Cupcake) and Fedora-11 -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
