On Sat, 2010-01-16 at 17:59 +0100, Vadkan Jozsef wrote: > what does a self-signed outdated ssl cert worth? [https] > > could it be tricked [https] in a way, that the end user will not > recognize? [e.g. he already accepted the cert one time, and the browser > would warn her, if it been ""attacked""?] > > ..I mean does an outdated self-signed certificate give the same security > as a normal cert? ---- whether 'expired' or 'current', a self-signed certificate offered by a web server only has worth if you trust the signer of the certificate and you have reason to believe that the certificate being offered is indeed the one signed by whoever you believe worthy of the trust. If the certificate is expired, it is certain to generate a warning every time you encounter it. I use self-signed certs all of the time - I trust myself. I have to convince other users to trust the certificates that I sign. The browser only sees the certificate and knows whether it has been signed by an already trusted certificate authority. Some certificate authorities are out of the box trusted by your web browser. Many are not. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
