On 14 October 2012 22:17, Daniel Farina <daniel@heroku.com> wrote:
> The problem there is that it's a pain to get signed certs in, say, a
> test environment, so "don't check certs" will make its way into the
> default configuration, and now you have all pain and no gain.
This is precisely the issue that Debian deals with in providing the
"default Snake Oil" certificate; software development teams -
especially small shops with one or two developers - don't want to
spend time learning about CAs and creating their own, etc, and often
their managers would see this as wasted time for setting up
development environments and staging systems. Not saying they're
right, of course; but it can be an uphill struggle, and as long as you
get a real certificate for your production environment, it's hard to
see what harm this (providing the "snake oil" certificate) actually
causes.