[paramiko] www.lag.net server issue?
Dwayne C. Litzenberger
dlitz at dlitz.net
Mon Feb 18 22:02:39 PST 2008
On Sun, Feb 17, 2008 at 04:21:38PM -0800, Robey Pointer wrote:
>> Fetching failed:: peer certificate cannot be authenticated with known
>> CA certificates
>
>Another good example of why SSH is a superior protocol to SSL. I'm not
>going to pay thousands of dollars to a financial corporation just to
>have the "right kind" of cert. Therefore self-signed certs are a fact
>of life, and all these SSL clients complaining about them just make
>SSL look confusing to end users.
Robey,
For somebody browsing on an open wi-fi network---particularly someone who
has never visited www.lag.net before---the "right kind" of SSL certs
provide a useful service: They make it much more difficult for an attacker
on the local wireless LAN to substitute your software with a modified
version, and they would make it possible to bootstrap trust for your public
GPG key. In this use case, self-signed certificates are just as useful as
the practice of _not_ checking SSH host keys: They provide a false sense of
security, and completely fail to address the bootstrapping problem.
If you shop around, you can get an annual SSL cert for less than US$100
(http://www.rapidssl.com/ currently advertises US$69/year).
As the maintainer of an important cryptography library, you should be
providing _some_ means for end-users and distributors to verify that the
software they download is the same software you release.
--
Dwayne C. Litzenberger <dlitz at dlitz.net>
More information about the paramiko
mailing list