SABnzbd Forums

I check the SSL box, and it Just Works, apparently encrypted.

Alas, I don't see any place where I can look at who signed each server's key, or fingerprints, or anything like that (analogous to clicking a padlock icon in many web browsers when using HTTPS).

So it makes me wonder how sabnzbd knows it has the right key for the server. What, exactly, would happen if a server updated their key, or if my ISP (perhaps under government orders, perhaps simply to gather marketing intell) were to become a Man in the Middle? Does sabnzbd show a warning and refuse to connect, or otherwise alert the user if the other side switches to a new key?

It seems like SSL doesn't have much point, unless users have a way to prevent (or at least detect) interception. Am I nuts?

The built-in SSL of SABnzbd is a self-signed SSL. That is not as secure as a real SSL key, and if you use Chrome, Chrome will always warn you.
So:
1) this SSL does *not* make sure you're talking to your own server
2) this SSL does encrypt, but probably less good than a real SSL
IOW: if you want better security, get yourself a real SSL key.

Sander, it sounds like he's talking about NNTPS, not SSL for the web UI.

While we don't show NNTPS connection info, I believe SABnzbd would fail on an invalid cert similar to Chrome (Self-Signed, Mismatch Domain, etc), though I can't think of a time I've ever come across this being an issue, or can I think of any other NNTP client that shows SSL connection info apart from a successful connection.

Shypike will hopefully be able to chime in with more information here. I don't think it'd be too unreasonable to show certificate info in a modal window upon clicking an icon on the server page for a server we've already authed against, or to show that info when you do a "test server".

...or I could be completely wrong, and this might be a deficiency of NNTPS.

Right, I'm talking about sabnzbd talking to the news servers, not the browser talking to sabnzbd. Sorry I wasn't more clear.