This week's book giveaways are in the Refactoring and Agile forums. We're giving away four copies each of Re-engineering Legacy Software and Docker in Action and have the authors on-line! See this thread and this one for details.
Below are my doubts. Sorry for long queries:
Q. "A self signed certificate is a certificate that is signed by the person creating it rather than a trusted certificate authority. Free self signed certificates can enable the same level of encryption as a $1500 certificate signed by a trusted authority, but there are two major drawbacks: a visitor's connection could be hijacked allowing an attacker view all the data sent (thus defeating the purpose of encrypting the connection) and the certificate cannot be revoked like a trusted certificate can. " What it means? If connection is secure then how the data can be hijacked?
Q. "Any attacker can create a self signed certificate and launch a man-in-the-middle attack. If a user just accepts a self signed certificate, an attacker could eavesdrop on all the traffic or try to set up an imitation server to phish additional information out of the user. Because of this, you will almost never want to use a self signed certificate on a server that requires anonymous visitors to connect to your site." what I got is, attacker can create a fake server with his own signed certificate and get all the data. But what the last line means about anonymous visitors?
Q. Diff between keytool and openssl? Can we do all the work (create keys/sign/import) with a single tool?
Q. "self-signed certificate is not used in SSH public key authentication". what it means? If it is not used in authentication then what is the purpose of self-signed certificate?
Q. When the public key is getting created? while setting the java keystore with keytool or while creating certification request? Can I see the public key in certificate?