× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Hi Doug,

When I connect to my host I login and get a popup from FileZilla asking
if I will accept a DC. I respond yes and I'm in. Why am I sending out
the DC to the remote client?

You aren't sending the local CA cert to the client for YOUR protection. You're sending it to the client for THE CLIENT'S protection.

The idea is that they can use this CA cert to verify that the server is really you. If you didn't do that, it could be someone impersonating you (a man in the middle attack, or phishing, or something like that).

Remember, SSL was originally designed to let retailers sell stuff using a credit card over the web. The goal is to let the consumer know that they're really sending the credit card number to the right place. If I set up a web site named 'WalmartOutlet.com' and told everyone that I was Wal-Mart, then they might trust me and send me their credit card numbers. That would be gr8t, cuz I could buy l0tz of n33t stuff.

One problem: My SSL certificate wouldn't match the CA certificate installed in the client's web browser. That would tell the client that I'm not to be trusted. Oh well, I guess I'll have to work for a living...

That's the point of the CA certificate: To verify that the server REALLY IS who the server claims to be. That's the reason you want to install your local CA into your client's system -- so the client can be confident that they're FTPing the files to YOU, and not someone else.

If you'd like to ALSO verify who the client is, then you need to implement client certificates. This is not implemented by default in SSL (because, again, SSL was created for retailers... Wal-Mart will sell to anyone. They don't want/need to have to distribute client certificates to every potential customer!). However, SSL does have this option, it just has to be set up, and additional certificates need to be generated and distributed.

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.