[rt-users] HTTP and HTTPS on same RT server?

Lutz Jaenicke lutz at lutz-jaenicke.de
Tue Feb 26 12:12:46 EST 2008


jmoseley at corp.xanadoo.com wrote:
> Better yet, import the self-generated CA cert (that you used to sign each
> of your SSL certs) into each browser as a trusted root certificate
> authority and no more warnings...
>
>   
This is a pretty bad idea unless you are living in a closed system.
If I add the "xanadoo.com" root CA to my trusted root CAs my browser
would stop warning me if I hit a https://www.mytrustedbank.com/ forged
website with a certificate signed by the "xanadoo.com" root CA.
The trust model used with typical browsers is such that you better only
add those root certificates you _really_ trust and don't add lots of
home grown root CAs on the way.

Best regards,
    Lutz
PS. Please no new discussion about how trustworthy Verisign et al might
ultimatively be as root CAs. That's a topic of its own.



More information about the rt-users mailing list