Trace: » vbox_commandline » customize_ubuntu » 2200bg_wgr614v5 » find_xargs_basics » backend-frontend_bezeichnungen » sql_to_smbpasswd » dell_poweredge_r300 » avahi_daemon_sucks » mount_virtual_drives » goldfisch-zertifikate


Site map

goldfisch-zertifikate

For save communication in Internet there are so called “certificates” (”Zertifikate”).

Certificates have two purposes on security:

  1. encrypt communication (so your UPC-neighbour cant watch what you are surfing)
  2. ensure that the communication-partner is the one it claims to be (so that the webpage you visit is really the one you want to)



Professional companies create certificates that can be used by servers and webpages. What they really do is making big money. up to 1000€ per certificat is hardly affordable and for this amount of money the identity of the webpage is checked by sending an email or a letter, which is hardly enough.

So smart people invented the self-signed certificate which is free and can be created by everyone. And so do I for the goldfisch and the zimbra.

My certificates ensure that the communication is encrypted, but it does not ensure that you are *really* talking with the goldfisch. Even a professional certificate could not ensure that cause every guy that has 1000€ can claim to be the goldfisch.

So you just have to use your other senses to check if the page you see and the zimbra-webpage where you enter the password is really zimbra.goldfisch.at or if you accidentely were mislead by a spam-email that directed you to a page zimbra.goldflsch.at that is collecting your password. (you noticed the l instead of the i in the second url?)

This is what is called phishing and done with big companies and especially onlinebanking all the time. I doubt it will ever happen with goldfisch, but who knows.

So what I want to say:

  • certificates ensure encryption
  • certificates does not ensure authentication - most professionally certificats dont


In real-life there is another issue:

modern browsers are very suspicious against self-signed certificates. They prefer to support professional certificates, so you get a message like “untrusted certificate” or whatever. You have to decide then if you trust the certificate or not. If you do, be sure to accept it permantely so the browser will not bother you again.

With zimbra I had to changed the certificate a lot in the past so you have gotten this message a few times. I’m sorry. But the first certificate expired in December and then I did a upgrade which automatically created a new certificate. I’m sorry for that and please accept the new certificate which will hopefully last for the next 10 years :)


thnx peter

 
goldfisch/tech/goldfisch-zertifikate.txt · Last modified: 2009/12/21 10:20 by peter