Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'THIS IS NOT SECURE.' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
THIS IS NOT SECURE.
Authored by: kevinv on Mar 12, '04 10:17:26AM

For stunnel 3.x you can fix this by launching stunnel with:

sudo ./stunnel -v 2 /path/to/stunnel.conf

or

sudo ./stunnel -v 3 /path/to/stunnel.conf

the first (-v 2) causes Stunnel to require and verify certificates for every SSL connection. If no certificate or an invalid certificate is presented, then it will drop the connection.

The second causes Stunnel to only accept certificates listed in it's trusted directory (usually /usr/local/ssl/certs/trusted)

You can also, at compile time, for a minimum setting for the -v options (the default is the insecure -v 0)

For Stunnel 4.x you can put the verify level in the config file:
verify = 2
verify = 3



[ Reply to This | # ]
THIS IS NOT SECURE.
Authored by: verbal on Mar 12, '04 02:17:36PM

It still does not do proper certificate validation even with these options set. It will perform the basic set of validation checks (make sure the cert is not expired, CRL checking, etc.); however, it will not do hostname verification checks, so you can still be man-in-the-middled. You are also responsible for obtaining the appropriate CRLs yourself and telling stunnel where to find them.



[ Reply to This | # ]
THIS IS NOT SECURE.
Authored by: paulsomm on Apr 02, '05 05:33:01PM

Its still better than everything going cleartext.

The problem posts decrying "this is not secure" is that it is MORE secure than nothing. Sure, it can be man-in-the-middled. And, sure, if you're on a cable modem or school network it's likely someone will try. But it's still much better than no encryption at all.

I applaud those trying to use even marginal security, since most people just don't care or don't have a clue how to try. I think the real "fix" here is for the vendors and standards organizations to start taking security much more seriously and start pushing to include secured technologies by default, not as options.

If you're truly so paranoid that SSL'ing your connection still frightens you, I don't think you want to be keeping your documents on a publically accessible server anyway.



[ Reply to This | # ]