[Discuss] Delivering mail to folders

Tom Metro tmetro+blu at gmail.com
Mon Feb 1 13:38:22 EST 2016


Edward Ned Harvey (blu) wrote:
>David Kramer wrote:
>> ...would it be reasonable and possible to use a self-signed cert for starters...
> 
> Ever-so-slightly better than no encryption.

Huh? We're talking about using a self-signed cert for IMAP access, right?

Self-signed certs have all the same cryptographic benefits as a CA
signed cert, including having your client validate the cert, if you
install your own root cert on your clients.

The only down-side to self-signed certs is the inconvenience of having
to install the root certs on your clients. This is why they aren't used
for public web sites.

Even without installing a root cert, many clients will warn you about
the invalid cert, and if you agree to connect anyway, they give an
option to let you store the exception. If implemented correctly, the
client will warn again if the cert fingerprint changes, raising the bar
(but not preventing) a MITM attack.

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/



More information about the Discuss mailing list