https://en.chuso.net/security/ Recent content in Security on chuso.net Hugo en Wed, 18 Nov 2020 20:31:24 +0100 https://en.chuso.net/trusting-invalid-ssl-certificates-wrong.html Wed, 18 Nov 2020 20:31:24 +0100 https://en.chuso.net/trusting-invalid-ssl-certificates-wrong.html <p>So let me put it clear from the first line: trusting invalid certificates is wrong.</p> <p>And now I will explain why it&rsquo;s wrong and why there are few excuses for it.</p> <p>We are talking here about certificates for SSL encryption, which serves basically two purposes:</p> <ul> <li><em>Privacy</em> — data is transferred encrypted and can only be decrypted by the intended recipient and not a third party wiretapping the line.</li> <li><em>Authentication</em> — making sure the receiving end that will be able to decrypt the data is who they claim to be and data is not diverted to a different receiver by a third party with access to manipulating our transfers.</li> </ul> <p>Invalid certificates obviously defeat the second purpose of verifying the other end&rsquo;s identity:</p>