Re: Successor of MD5 authentication, let's use SCRAM

On Sun, Oct 14, 2012 at 5:59 AM, Daniel Farina <daniel(at)heroku(dot)com> wrote:
> On Sat, Oct 13, 2012 at 7:00 AM, Andrew Dunstan <andrew(at)dunslane(dot)net> wrote:
>> Does Debian they create a self-signed certificate? If so, count me as
>> unimpressed. I'd argue that's worse than doing nothing. Here's what the docs
>> say (rightly) about such certificates:
>
> Debian will give you a self signed certificate by default. Protecting
> against passive eavesdroppers is not an inconsiderable benefit to get
> for "free", and definitely not a marginal attack technique: it's
> probably the most common.
>
> For what they can possibly know about the end user, Debian has it right here.

There's a lot of shades of gray to that one. Way too many to say
they're right *or* wrong, IMHO.

It *does* make people think they have "full ssl security by default",
which they *don't*.They do have partial protection, which helps in
some (fairly common) scenarios. But if you compare it to the
requirements that people *do* have when they use SSL, it usually
*doesn't* protect them the whole way - but they get the illusion that
it does. Sure, they'd have to read up on the details in order to get
secure whether it's on by default or not - that's why I think it's
hard to call it either right or wrong, but it's rather somewhere in
between.

They also enable things like encryption on all localhost connections.
I consider that plain wrong, regardless. Though it provides for some
easy "performance tuning" for consultants...

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/