× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Nathan,

On 3/8/2017 12:35 PM, Nathan Andelin wrote:

Same with true for web services. Web service clients and servers don't mess
with certificate authorities. Why do browsers?


Not sure that I agree that SMTP and Web Services don't care about CAs, but...

Because SSL was originally created with the thought of opening up stores where you could buy items with credit cards over the Internet.

The problem is, having the site encrypted does absolutely no good if you send your credit card number to a criminal's web site. Sure, your card is nicely protected as its sent, but if it's sent to a criminal, it's still a big problem.

The job of a certificate authority is to verify that you really are who you say you are. So if you claim to be www.amazon.com, the certificate authority will not issue a certificate unless you somehow "prove" it. (They might call Amazon's phone number, for example, or something similar... depending on how serious they take it.)

If you go to Amazon.com, but get a certificate for another site, you can be sure that someone someone is intercepting the session and redirecting it somewhere else.

You might say "but, nobody does that!" Yeah, and there's a reason... if they did, it wouldn't match the CA, and so the customer would not be fooled. You can bet that if SSL wasn't so picky about things, this would be a common problem.

Typically, the only time CAs aren't used is when SSL is set up internally within an organization (vs. the public Internet). Here you can reasonably trust things since you know exactly who you are dealing with. Or, with client-side certificates. Client-side certificates are almost never used in SSL, but when they are the certificates are typically used by whomever is running the server, since the purpose is to make sure only people they allow to use the site can log in. So a public CA where anyone can get a cert doesn't make much sense for client-side.

-SK

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.