When Is a Self-Signed SSL Certificate Acceptable? 627
UltraLoser writes "When is it acceptable to encourage users to accept a self-signed SSL cert? Recently the staff of a certain Web site turned on optional SSL with a self-signed and domain-mismatched certificate for its users and encourages them to add an exception for this certificate. Their defense is that it is just as secure as one signed by a commercial CA; and because their site exists for the distribution of copyrighted material the staff do not want to have their personal information in the hands of a CA. In their situation is it acceptable to encourage users to trust this certificate or is this giving users a false sense of security?"
Always. (Score:5, Informative)
SSL certificates provide one thing, and one thing only: Encryption between the two ends using the certificate.
They do not, and never been able to, provide any verification of who is on either end. This is because literally one second after they are issued, regardless of the level of effort that goes into validating who is doing the buying, someone else can be in control of the certificate, legitimately or otherwise.
Now, I understand perfectly well that Verisign and its brethren have made a huge industry out of scamming consumers into thinking that identification is indeed something that a certificate provides; but that is marketing illusion and nothing more. Hokum and hand-waving.
Re:Always. (Score:5, Insightful)
Can you cite any examples of a case where a certificate has been subverted in this way?
And while you are on your soapbox, what is the alternative? By what other method do you suggest that I prove to my satisfaction that when I go to www.mybank.com.au that I am actually at mybank's website, and that a dns record somewhere hasn't been subverted and I am instead entering my login details to a phishing site made up to look exactly like my bank?
I'm pretty sure you are talking out of your arse. Unless you can cite some examples of a big name company (eg a major bank) having had their certificate subverted in this way, and not having said certificate revoked almost immediately, i'll stick with what works thanks.
Re:Always. (Score:4, Interesting)
I don't know of any instances of SSL certificates being subverted in the way described by the GP, but there are instances of phishing sites using correct-looking certificates, such as http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html [washingtonpost.com]
"By what other method do you suggest that I prove to my satisfaction that when I go to www.mybank.com.au that I am actually at mybank's website"
Not very easily, but you can use two factor authentication to make sure that even if scammers find out the static username, password, and whatever, it's useless without a second bit of information generated by an electronic device. So the device generates a pin number which is based on time, or generated in a sequence. I have used Cryptocards in the past - they can generate a 7 digit pin number which is valid for one time only - the server knows the order that the card should generate the pin and it can be easily tied into existing infrastructure using by authing using RADIUS. Some UK banks have sent out devices which you need to insert the debit card into in order to generate the code. It's far less likely that the scammer is going to have the debit card, *and* the electronic device, *and* the static username/password.
Re:Always. (Score:5, Interesting)
Re: (Score:2)
I've got one of these for my banking, and have had it for a few years now. I've also implemented rsa tags on a clients terminal server. And yes, they do solve a lot of problem, especially clients being less then perfect with their password complexity.
Re:Always. (Score:4, Insightful)
But there you're solving a completely different problem!
The SSL certificate scheme is there to assure your browser (you) that the bank is who they say they are.
The electronic pad and/or card are there to assure the bank that you are who you say you are.
Completely different problems. Without the first being solved (usually via SSL) then you have no idea who you're giving your username, password and one-time number to.
IMHO this is a MAJOR problem in security. Most people don't understand that there are multiple different issues of trust, secrecy and integrity to be solved in any given situation.
Re: (Score:3, Informative)
It only guarantees that the domain of the site you've connected to matches the domain in your browser bar.
So I set up a company usesave. It doesn't really matter what the company was going to do.
I then get a cert from verisign for my usesave company.
I then setup www.usesave.co.uk, and maybe even phish people with "you must check your details" and wait for people to typo www.icesave.co.uk or click on links in the phishing email.
Of course, hopefully, the site will get shut down quickly, but it's unlikely to b
Re:Always. (Score:4, Informative)
Well, as I understand it, each of these devices has a unique ID, which is seeded into the number generation algorithm. The criminal's device will be spewing out a different number sequence than mine.
Re:Always. (Score:5, Informative)
1) SSL certificates do get issued to phishing sites
2) Some banks have login forms on un-encrypted pages
see: http://news.netcraft.com/archives/2005/12/28/more_than_450_phishing_attacks_used_ssl_in_2005.html [netcraft.com] and http://it.slashdot.org/article.pl?sid=06/02/13/2143251 [slashdot.org]
Re:Always. (Score:5, Interesting)
I figured that would probably happen, but i'd never actually seen it. I don't make a habit of deliberately visiting phishing sites though.
I've not seen a bank do it, but these guys [melbourneit.com.au] do, which I think is just insane, especially seeing as in all other respects (apart from price) they are an excellent domain registrar. Click the login link in the top left and you'll be presented with a non-https page with a username and password on it. I've emailed them about it but they just don't get it. Idiots.
I've stopped using MelbourneIT for new registrations on that basis. I suggest you do the same.
Things are not as they appear (Score:3, Informative)
Just because the form PAGE is not HTTPS doesn't mean the form PUT isn't HTTPS, i.e. a form that doesn't show the little lock icon might still be perfectly secure, but without looking at the page source you won't know about it.
And, ironically, vice versa. I.e. you can have a HTTPS form that actually uses unencrypted HTTP to submit its' data. Your browser is supposed to warn you when you submit an HTTP ("insecure") form and when you go from HTTPS to HTTP within the same site, but after the first couple of tim
Re:Always. (Score:5, Interesting)
Wachovia tells their users to enter their credentials on the unsecured front page, which then submits to a secure script processing said credentials.
What you might be forgetting: What if I set up interception on my shared WiFi (or somewhere at the backbone of the hypothetical ISP I might be working for) to grab all HTTP requests for / going to r3wec01.wachovia.com and add a tiny bit of JavaScript that, in addition to the page working as it usually does, posts all keypresses to a script of my choosing?
Without access to WB's certificate, I couldn't do that on a properly secured HTTPS site. Thanks to unencrypted HTTP, it's pretty [eff.org] trivial [wired.com].
Re: (Score:3, Insightful)
And yet they still have an unencrypted login on their home page. Submitting to an encrypted URL from an unencrypted URL is practically a phish in itself. Most banks do this, and I cringe every time I see it. It begs for a phish attacks, does a disservice to customers, and promotes bad computing habits. But hey, it doesn't really cost the bank anything if your username and password gets whacked.
Re:Always. (Score:5, Insightful)
no no no, really you don't understand. Since the login page is not encrypted, it may have been changed during transfer to your browser. You'll be sending your user credentials to the evil MITM.
See? since you can't trust the login page it doesn't matter that your username & password are sent using SSL, since you'd be sending them encrypted to the evil MITM.
You are correct to point that out (Score:4, Informative)
However, that is why Https security has to stand on a 'tripod' from the users' point of view:
1) The lock icon appears in the address bar (while a picture of a lock on the page doesn't count).
2) The domain name in the address bar is spelled correctly (because the lock is saying that the cert 'matches' the domain).
3) No certificate warnings appear from your browser.
If any one of those 'legs' is missing, then assurance of link security falls down. Otherwise (barring your computer being infected/compromised, or having a massive bug) you can be sure the link is both solid and also not a phishing site.
Re:Always. (Score:5, Informative)
Can you cite any examples of a case where a certificate has been subverted in this way?
As others I am sure have already said, the strength of the identity verification is solely based on how the verification is done.
Re:I wonder... (Score:5, Insightful)
Not nearly as much damage as would have been done if everyone used self-signed certs. Look up 'man in the middle' attack.
Re:I wonder... (Score:5, Insightful)
Certificate key signatures can prevent MITM attacks. Provided someone doesn't MITM the signature exchange...
CAs are good, but, as I point out in another comment, most of us treat them magically. We don't do anything to verify our trusted cert lists. Can you tell me right now *with certainty* where your trusted CA list came from and that it hans't been modified by someone hostile or by hostile code?
If you can't tell me that for sure, then you are *less* secure than someone using unsigned certs who has personally verified key signatures face-to-face.
Re:I wonder... (Score:4, Insightful)
Re:I wonder... (Score:5, Insightful)
Re: (Score:3, Informative)
Furthermore, have a look at the CA list in your browser. (In Firefox: preferences->advanced->encryption->view certificates->authorities). Now, have any idea who those are? If not, then you're taking a stranger's word for another stranger's ID.
Verifying the key out of band (Score:3, Interesting)
>personally verified key signatures face-to-face.
Over the phone is probably adequate. You already know your bank's phone number. Incidents of phone numbers being rerouted are rare, though there are rumors of escort services in Las Vegas redirecting traffic meant for their competitors, and Florida's probation department once had their phone number remapped to a phone sex service in New York.
Over the phone, you'd just have the website operator read you the thumbprint for their cert. You could check it agai
Re:Always. (Score:5, Insightful)
I totally agree - The internet would be FAR more secure if there was a way of using self-signed certificates without browser warnings.
But the certificate vendors have a licence to print money and abuse it horrifically.
For example, a certificate for a domain www.example.com costs a fraction of what a certificate for a wildcard *.example.com would cost. What extra work do they have to do for that extra money?
ALL sites would be more secure with a self-signed certificate than plain HTTP. But self-signed certificates scare the crap out of visitors with their alarmist warnings. If anything, the warnings should be shown on plain HTTP sites saying "Watch out! This isn't encrypted".
So. I say get rid of the self-signed warnings from all browsers, they do far more harm than good. Instead, make it clear on the browser with colouring, icons, whatever, whether the site has a verified certificate from a CA, or it does not (in the case of self-certs or HTTP).
Jolyon
How so? (Score:2)
How so? Both are susceptible to a man in the middle attack. In the self-signed certificate scenario the man in the middle merely needs to generate their own self-signed certificate.
That's slightly more complicated but not enough to deter anyone if the information is even vaguely snoop-worthy.
I agree however that the certifying authorities are largely rip-off merchants.
Root on CD (Score:2)
Re: (Score:2)
For casual uses, you can get a really basic cert at godaddy for $10. I fail to see why that's so bad. The CAs really do check your identity for the $100 certs and that takes personnel and resources. I fail to see why that's so bad.
Re: (Score:2)
This is slashdot anything dealing with spending money and a company making profit is bad. Yet they will complain that their salaries are too low, and have hard time finding job.
Re:Always. (Score:4, Informative)
No they don't. We have a code signing cert. I got it by email - I'm not the owner of the company or anything.. I just looked up the company reg. number and sent them the registered address and they replied with the link to the certificate the same day.
I could have been *anyone* - there was absolutely no real verification.. I literally googled all the information as it was quicker than asking my boss. For this they wanted $200.
Re: (Score:2)
Basicly, if you trust the included root certs, then you basicly trust that some person who installed the certificate on the site at one point had access to an e-mail address on the domain, or something like that. It guarantees nothing.
Self-signed certificates lets the user decide if he want to trust the site, and the user should be given a warning when the certificate changes, i.e. man-in-the-middle.
I would say self-signed are better. But they MUST match the domain name.
Re: (Score:2, Interesting)
This is utter nonsense. Either you have been scammed, or you are a scammer.
Let me tell you what a certificate does in its typical web application. It allows you to create an encrypted conversation with the webserver. At the time the certifica
Re: (Score:3, Informative)
I think you've misunderstood it (or I've not read what you said close enough).
You are Alice. You want to talk to Bob's website: www.example.com
I'm Evel (Hi, I'm male, can't use Even then ;) - and I by chance control your upstream.
Alice -> home network -> ISP (Evel) -> Bob.
Now, you try to connect to www.example.com, and he has got a signed certificate. I don't care about that, and insert my own certificate generated nicely for www.example.com . You get a browser warning - and since you know that
Re:Always. (Score:5, Informative)
You are Alice. You want to talk to Bob's website: www.example.com
I'm Evel - and I have hacked Alice's computer, compromising anything I need to, from her certificate collection to her browser to her hosts file or all of the above.
Alice ->[her browser hums a happy song] home network -> Evel [collects her CC info, etc., moves to island with hot chicks and rum drinks.] Mind you a keylogger would be enough, but just for fun...
Alice is not safe from attacks. Not with a certificate, and not without one. End of story.
However: If Alice talks to a legitimate merchant, and no one has hacked anything, then the conversation between her and the other end is very difficult to break into, moreso than her computer, I might add. Which is the same advantage you would have had with self-signed certificates. The ONLY time you're safe is when you've not been hacked. To say that because ONE hack has been deterred -- the MITM attack -- the user should feel safe... I'm not buying it. It is as meaningless as saying you're safe because one out of a thousand vulnerabilities in your browser have been patched. You're not safe until there are no vulnerabilities; consequently, you're not safe. Period.
Re: (Score:3, Insightful)
No.
The function of the KEY is encryption. The function of the certificate is authentication.
Big difference.
Re: (Score:3, Interesting)
But that's nonsense. I have been robbed by the SSL certificate companies so that my shopping cart page would not flag any browser warnings. I paid my money and had the certificate the next day. They didn't contact me by phone or snail mail. The m
Re:Always. (Score:4, Interesting)
Comment removed (Score:5, Informative)
Re: (Score:2)
> 4. You compromise the user's PC, patching the web-browser to accept bogus credentials. In this case the user is at fault
I think point 4 should really read:
"4. You compromise the user's PC, patching the web-browser to accept bogus credentials. In this case the *users operating system* is at fault."
Depends. (Score:2, Informative)
A symmetric cypher combined with a random key provides the encryption. The rest of the system is only there to ensure that the parties who have the key are actually the endpoints, and that necessarily includes the authentication of their identities. The possibility that the certificate owner may not have been sufficiently diligent with his secret key is a problem which all cryptographic systems share. Nevertheless, identity verification is important for protecting against trivial man-in-the-middle attacks a
Control of the certificate? What about the key? (Score:2)
What do you mean "control" of the certificate?
The certificate isn't secret information, it's sent publicly at the start of every ssl request.
The private key is the part that means only the proper person can establish an SSL connection certified by that certificate. Incompetence aside there
Verifying SSL keys the way you verify SSH keys (Score:2)
This is because literally one second after they are issued, regardless of the level of effort that goes into validating who is doing the buying, someone else can be in control of the certificate, legitimately or otherwise.
What do you mean "control" of the certificate? [...] The private key is the part that means only the proper person can establish an SSL connection certified by that certificate.
Incompetence that leaks the private key can happen faster than you might expect.
If you add an exception for a self-signed certificate then you basically have to trust that the first time you hit a site you aren't being hit by a man in the middle attack.
It's a little bit harder for an attacker to make a man-in-the-middle attack if the owner of a self-signed certificate reads you the certificate's fingerprint over the phone, no?
Re: (Score:2)
I disagree 50%. In practice, this is correct, but in theory it is not.
Theoretically, the CA is actually checking the identity of the orgs they sell certs to. Most actually do this to a limited extent.
Also, each of the CAs keeps a revocation list for certificates that got out of reach. In order for someone to use the certificate illegitimately, they have to gain control of the domain name *and* the certificate -- or simply the web-server I suppose.
If no major security breach is *currently* in progress,
Mod parent DOWN, please (Score:3, Informative)
He is spreading misinformation. The Internet and its security mechanisms were never meant to verify real-world identity (whatever that means: photo, street address, SSN?) or good intentions. Yet SSL does, however, validate the site's Internet identity... it ensures that the domain name you see in your address bar represents the actual server(s) registered to that domain name. As others here already pointed out, this prevents MITM attacks.
Thus, when you conduct critical business on the Internet, it is import
Re: (Score:3, Interesting)
it ensures that the domain name you see in your address bar represents the actual server(s) registered to that domain name. As others here already pointed out, this prevents MITM attacks.
No, it doesn't! It ensures that the server that you are connected to has a cert with the name of the domain on it. It could have been signed by any of the many CAs in the browser's list. Perhaps the real site has another cert with that domain name on it signed by another CA, but you won't know that.
The system is only as believable as the least conscientious CA in the list.
Re:hipotesis (Score:5, Insightful)
It's not really a No No; it's just that, in order to be sure that the certificate is okay, you have to be able to ensure that you have the same level of security as a normal certificate. What is that exactly??
Well, a normal certificate is often verified simply by email. In order to get one you have to prove that you can respond to email for your domain. In other words you prove that you get IP packets that are destined to that domain (recieve the email you want). This is quite a bit harder than spoofing, but much easier than breaking an RSA key.
So, how can we get the same level of security? Well, if we connect to a web server then that web server has proven that it can get the packets for that domain. Any certificate it distributes has almost the same level of security as a normal web certificate. There is one difference. When you use a normal certificate they are proving that they can now recive your packets and they could at another time much earlier when they contacted the cerfificate authority. Minor seeming, but important difference. You can gain the equivalent security by checking that the certificate is the same as it was some time before and checking that you have the same certificate as other people world wide.
So a good way, would be for the web site you are posting about to post their certificate fingerprint on various public web sites and news groups known to be associated with them. That would be just as good as a normal web certificate. Or put another way, given the amount people pay for them and the security they advertise, normal certificates are indeed scams.
Please note, this discussion doesn't cover extended verification which is also a partial scam, but not as bad as normal certificates. Please note also, that there are some of the older certificates which also require more than just email verification. That is totally irrelevant since your browser interface doesn't differentiate between them and the hackers will always go for the weakest security.
Re:hipotesis (Score:5, Insightful)
Re: (Score:3, Insightful)
Here is the problem though. Why should I trust a signed certificate? If I go to a website and am prompted by an un-signed certificate, I need to determine if I trust that that web site.
If I go to a web site and their certificate is signed so no prompt but I have just blindly put my trust in the web site and in the nameless CA.
Personally, I don't trust the CA's any more than I trust some random website.
Not really (Score:3, Insightful)
Don't signed certs also protect against phishing? When you go to your bank website, their cert is signed by a CA. If a phishing website is trying to trick you into giving them your username, they won't be able to have an SSL website that has the CA signed cert, which should be a red flag to a user that something is not right.
Not really. A phishing site could get its own SSL cert for whatever domain it's using. For example, a bad guy could get a cert for paypa1.com and https://paypa1.com/ [paypa1.com] would work just fine with a proper secure connection.
The idea is that Verisign or whatever CA granted the certificate should have checked them out, and only give them a cert if they're "good". However, their idea of "good" is completely up to them. You're trusting that whatever they say is good, is good to you also. But what if my name is B
Re:hipotesis (Score:5, Informative)
Infact, having a third party signing your certificate potentially reduces it's security, since they are now in possession of the certificate too, and have likely transmitted it to you via plain text email.
There is nothing whatsoever that is confidential in an X.509 certificate.
It is a chunk of bytes that says "Public key P corresponds to identity I, according to authority A", and it contains a signature created using A's private key, which ANYONE can check using A's public key.
During the whole request and issue process, the secret bit -- I's private key, never leaves I's possession.
The certificate could be printed in the New York Times, with no loss of security.
Re: (Score:3, Informative)
Except that the certificate authority also issues the private key at the same time. Otherwise they couldn't validate the signature themselves.
No.
Re: (Score:3, Informative)
I don't see why they can't apply for a "real" cert.
Quite a few CAs these days use only email to verify that you are entitled to the cert (usually obtained via whois records). Some of them do it for free (cacert.org, although the CA cert is not trusted by many browsers).
I'd be happy to trust a cacert.org CA certificate, but *not* some random CA who could then issue certificates for other sites.
Re: (Score:3, Insightful)
Re:hipotesis (Score:5, Informative)
The problem is that a self-signed certificate suffers from attacks at distribution time, whereas a CA signed certificate does not.
First, you have to understand what a certificate is. A certificate consists of two parts: a public key, and a subject. The public key has a matching private key, but only the owner of the certificate has the private key (no one else; not even the CA). The subject tells us who the cert belongs to, and it is signed with the private key (so we can use the public key to make sure the subject hasn't been altered).
If I connect to your server via SSL, and you provide me with a self signed certificate, then that certificate proves that you are you (because of the subject), and it provides a means for us to establish encrypted communication (because of the public key). All is well, right?
Well, not quite; this only works if you've provided me with your cert ahead of time via some other secure channel (not the web). Otherwise, this setup is vulnerable to the classic "man in the middle" attack. Someone who wants to intercept our communication pretends to be you, and gives me his own "fake" self signed cert. I establish communications with the attacker; the attacker's subject is signed with the attacker's public key, and the attacker has the private key so he can read the messages I send him. The attacker then establishes communications with you, and passes my messages on to you, and the attacker can now listen in on everything we say.
The attacker could also pretend to be you, again by providing me with a self signed cert that claims to be you.
The problem in both of these attacks is simply that I have no way to verify that this self signed cert is really your self signed cert. If you had given it to me ahead of time, I could have added it to my list of trusted certs, and then when the attacker presented me with a different cert, I'd know someone was up to something. (Although, how would I know it was really you when you give it to me "ahead of time"? And if we have some out of band secure channel, why aren't we using that instead?)
Now, why isn't this a problem with CA signed certs? The CA goes through varying levels of pains to verify that you really are you when you submit a signing request. So I get a cert from you, it's signed by the CA's cert's private key. I check the signature against the CA's cert, and I see that it is good. Since I trust the CA, I know that this certificate really is your certificate.
The man in the middle attack and the "pretending to be you" attack won't work here; if the attacker provides me with a different certificate, then the certificate's signature will either not match the certificate, or else won't have a signature. The attacker could simply grab your certificate (it is provided to anyone who asks for it by your web server - the certificate itself is public knowledge), and then the cert would pass the signature checks, but since the attacker does not have your certificate's private key (only you have that), the attacker would be unable to decrypt any communication I send to him using your certificate.
There's nothing wrong with self-signed certs in and of themselves. You will notice that the signing certificates belonging to the CAs are self signed. This only makes sense; the CA signed your cert with their cert, but who signed the CA cert? Even if someone did sign it (the uberCA), then who would sign that cert? It has to end somewhere, so it ends at the CA.
The thing about the CAs' signing certificates is that they are "well known". Everyone has a copy of them; they come with your operating system. If, for some reason, you distrust your OS distributor, you can go find multiple copies of them scattered about the internet. If you could convince OEMs to include your self signed cert, it would be just as good. :)
Re: (Score:2)
No. It just ensures you're out some fees. It does not ensure you're talking to a server that legitimately hosts google.com, or to any particular IP, even.
In order to hose you, all I need to do is direct your browser to a new IP where I have a server set up to respond as www.google.com, with a certificate to match which I got from my brother, who w
Interesting (Score:2, Interesting)
"and because their site exists for the distribution of copyrighted material the staff do not want to have their personal information in the hands of a CA"
So it exists for the distribution of copyrighted material, right? Just like, say, Amazon? Or like SourceForge? So what's the problem of the CA knowing their personal information? After all, the domain registrar already knows the correct data, right?
Or are you saying that they exist for the distribution of copyrighted material illegally, in which case we al
Re:Interesting (Score:5, Insightful)
"When is it acceptable to encourage users to accept a self-signed SSL cert?"
The answer is: Never.
What is the point of being sure that no one can intercept your communication all the way from your browser to the server if you don't know who you are talking to in the first place?
If someone knocked to your door and asked for your money would you give it to him because he has a bulletproof truck so the money will be safe all the way to whatever it is going to? Or would you trust the guy in the truck because he showed you a self-signed document saying: "I am authorised to do what I'm doing. Signed: me." Of course not!
But you'd be happy if you'd arranged with your bank for a truck to come and pick up the money, and when the truck arrived and you asked to see his documentation he said "Here it is, guaranteed by Fred Bloggs over there." And you have no relationship with Fred Bloggs (although you guess your bank does because the driver says so!) and no comeback against Fred Bloggs if he screws up even if he does have a relationship with your bank.
Quite frankly what I'd want is my bank having its own root cert that was self signed. I can confirm with my bank that I've got the right cert. And then when the driver turns up he can say "Here it is, guaranteed by your bank". And if the bank has screwed up and let some third party get hold of their root cert private key then I've got a relationship with the bank and I can sue them.
And when I communicate with my bank I should be able to give them my root cert and then they can check I'm who I say I am (they can use other methods as well if they don't think that is secure enough)
IIRC the hmrc website (UK TAX) allows you to use client side certificates to communicate with them but doesn't allow self signed ones. But why not? Is hmrc more confident that verisign can tell who I am than hmrc itself is? As a result I don't use a client side certificate.
Tim.
Re:Interesting (Score:5, Insightful)
The answer is: Never.
Actually, the answer is: Always.
if you don't know who you are talking to in the first place?
For most purposes it's sufficient to know I'm talking to the same guy I was last time.
Or would you trust the guy in the truck because he showed you a self-signed document
Instead I'm supposed to trust the guy in the truck because he shows me a document signed by the guy in the truck next to him?
The economic interest of a CA is diametrically opposed to their purpose. They maximize their profit margins by _not_ doing what they should be doing; hence I have no more reason for trusting Verisign (the guy in the truck next to him) than the guy himself.
In fact, I'd be better off establishing my trust once with the guy in the truck, then accepting that trust in the future; trusting the CA merely means I've opened myself up to being blindly tricked coercion of the CA. If the certificate of the person I've established trust with changes I know somethings up. If I'm subjected to a MITM attack signed by a trusted CA I wont even notice.
False sense of security
Funny, I'd say that the false sense of security is exactly what you get from CA signed certificates.
Re: (Score:2)
"When is it acceptable to encourage users to accept a self-signed SSL cert?"
The answer is: Never.
What is the point of being sure that no one can intercept your communication all the way from your browser to the server if you don't know who you are talking to in the first place?
There is a big difference between knowing who I'm talking to and knowing that I'm talking to the same person I talked to last time. Most of the time I don't care about the former. Do I care that an author is who they say they are? Or do I care that they wrote a specific book?
Most of the time relationships (especially on the internet) are not dependent upon the actual identity of the person I'm talking to. They rely on the history that I've had with that person. And there are many times when I might
Re: (Score:2)
There is a big difference between knowing who I'm talking to and knowing that I'm talking to the same person I talked to last time. Most of the time I don't care about the former. Do I care that an author is who they say they are? Or do I care that they wrote a specific book?
If you have a printed copy of the book, how do you verify that the errata web page listed in the book is in fact under control of the author or publisher? CA-signed SSL certificates help you connect an off-web identity to an on-web identity.
Re: (Score:2)
Re: (Score:2)
Self-signed certificates are pointless, because you are confident than no one is listening but you have no idea who are you talking to
Once you accept a certificate you can be sure that, from that moment on, you are talking to the same person you were talking to when you first accepted the certificate.
So you can take special measures to ensure that the self-signed certificate is valid, that VeriSign might take themselves with a CA-signed certificate, and from then on you can be sure that you're safe.
So it can be less convenient, but if people know what they're doing (not always the case) it can be just as secure as a CA-signed cert,
Re: (Score:2)
You realize, however, that this is exactly how SSH works?
The first time you connect to an ssh server, the server sends out it's key. It's self-signed key. And the client polietly asks you "Would you like to accept this key?, here is it's fingerprint" It's now the *users* responsibility to trust that key, via some other secure channel or web of trust. *This* is the only opportunity for a MITM attack, ev
Not really (Score:2)
It's only giving a false sense of security if people do not trust your web site. If the certificate authority is setup well, the server certificates are created from it like they should, and the certificate authority server is secured well enough (ie: not accessible from the outside in any way) the setup is in no way 'less safe' or trusworthy than using a known certificate authority. It's not like anyone can fake your CA or the client certificates.
where's the article? (Score:2)
Geez, I bet none of you even RTFA before you posted;)
This story reads like... (Score:2)
...O.J.'s "If I Did It, Which I Didn't, But Could Have, And Might Have, And Probably Did, But You Can't Prove It, And After All The Bitch Was Really Asking For It, But That's No Big Deal And I'm Going To Go Play Some Golf" manuscript.
No links, no research, no facts, just a gripping headline that has nothing to back it up other than claiming that "a certain web site" did something.
That's some great detective work, Lou...
Trivial question - how about the math answer ? (Score:5, Informative)
Self-signed certificates are acceptable if you can spread the root public key *yourself* in a secure manner.
Simple, no ?
In any exchange between 2 known parties for example, it is *always* preferable to have self-signed certificates.
Internally (Score:2)
Only internally, when you have rolled out your trusted root cert to all the users who might access you site (in a secure manner of course).
Or during testing when you have dev.mywebsite.com that you are giving selected users access to for debug and testing purposes. But the cost of a dns validated cert is so low that you might as well just fork out the $$$ and put a proper cert on it anyway.
Development uses only (Score:2, Insightful)
I'm a software developer and will often create my own certificates for testing purposes, and in my test lab people will trust them, however out in the wild there is no excuse for not getting a proper certificate signed by a proper authority.
Not only is this coming across as the company trying to do things on the cheap it has the possiblity of unraveling the trust of SSL for places you actually care about. If this becomes wide spread just think of the phishers create a copy of A Bank's site make their own
Requirement for a signed certificate SSL flaw (Score:5, Insightful)
This meant that many sites applied for SSL certificates just for secure communication. Some certificate authorities virtually issued certificates on request.
To get round they introduced extended validation certificates [wikipedia.org], which means we really, really validate this site.
They should have allowed secure communication without certificates, and had properly authorised certificates to start with. Since they didn't we have the situation where people have to self-sign
Re: (Score:2, Informative)
Isn't any encrypted communication without some form of identification susceptible to man in the middle attacks?
Re: (Score:3)
However it's an order of magnitude at least more difficult to perform a man in the middle attack than to simply observe the data from the network.
(I was going to moderate this thread, but there's sufficient misinformation that I'll reply instead.) There are two sorts of attacks possible, either by snooping or by DNS poisoning (well, there are more, but those are the main two). Snooping is defeated by encrypting the channel. DNS poisoning (and other types of man-in-the-middle attacks) is defeated by ensuring that the person/server at the end is who you think it is. The best way to do that is if you already know the public key of the other party, but
Re: (Score:2)
Re: (Score:2)
It's at least as secure! (Score:3, Insightful)
IMO, self signed certificates can be more secure. And for the site in question there's a risk of governments strongarming the certificate authorities to provide signed certificates so the government can launch MITM attacks.
I have a https website on my home machine that occasionally I connect to from work.
Now I get a popup about how the certificate issuer isn't recognised etc.
If someone at work (who controls the browser, the proxy, the network etc) decided to sniff all SSL traffic - which they could do with a MITM attack because they control at least one of the allowed root certs in the browser - my popup would disappear (unless they were very careful)
Likewise, my mail servers all use self signed certificates. Again, someone trying to attack me by getting verisign (or whoever) to sign a certificate, will not work.
Self signed certificates don't prevent attacks but they do mean that the attack cannot easily be automated.
(Actually I have a single self signed root cert that I then use to sign all my other certs rather than each cert being self signed)
It's swings and roundabouts. Verisign et al have built a whole industry out of convincing people to trust them more than the person's own bank.
I'm surprised we don't already see spam attempting to get people to install new root certs. (Or maybe we do - almost all the spam I get gets stopped by greylisting or caught by spamassassin)
Tim.
Tons of them (Score:5, Informative)
I find a self-signed certificate is useful on many occasions. I use it for my own squirrelmail service. I have set them up for "extranet" applications for small business clients.
This is just fine. I give them a hard copy of the key signature and tell them to verify it before the accept it.
Someone above says the a CA adds nothing. I don't agree with that. They add identity verification *to the extent* that site visitors actually *read* the certificates and evaluate their level of trust in the CA.
Quick: Tell me right now how many CAs are in your browser's trusted certs list. Now tell me where that list came from. Tell me why you trust it.
In other words, the signed certificate system can provide excellent security, but most of us simply trust our browsers when they don't complain. That isn't security. You really should check certificates every time. View the details, check the signatures, verify the integrity of your trusted CA list. But who bothers?
So while I don't agree that CA signed certs "add nothing," I do agree that hardly any users (including me who theoretically knows better) do their due diligence that would make that system truly work.
As long as you trust the CA... (Score:2, Insightful)
A self-signed certificate encrypts your data just as well as any other. However, you need to trust the website you are at (and hence the signing authority). The reason people trust sites like Verisign, is that it is often difficult to know how legitima
Re: (Score:2)
For example, most people trust Verisign.
They do? I certainly don't. Verisign has given me no reason to trust them, in fact, their corporate history, actions, statements as well as the judicial climate of their legal venue have given me plenty of reasons to explicitly distrust them.
The reason people trust sites like Verisign
I'd say the reason people trust Verisign is that it gets installed in their browsers by default and they cant be bothered to check. You could install RusChin Phishing Corporation as a def
Re: (Score:2)
Firefox 3 (Score:5, Informative)
I've noticed that Firefox 3 is much less forgiving of self-signed certs than other browsers. There's a lot more hoops that one has to jump through to get a page to load.
I've found it rather annoying, since all our internal web applications are served via SSL.
Re:Firefox 3 (Score:5, Informative)
Re: (Score:2, Informative)
All of our internal websites have self-signed certs. Once I added the permanent exception once, I never got another popup - unlike on FFX2 which gave me a box every time....
Re: (Score:2, Informative)
Why don't you add the root certificate to you browser? In Firefox 3: Tools -> Options -> Advanced -> Encryption -> View Certificates, then add the root certificate to your list of authorities. If memory serves me well, that should do the trick.
When you do your own trust check (Score:2)
A SSL certificate, even if not from a trusted party has a stable fingerprint you can use to verify it. Hell, the threat of verifying the fingerprint it often enough. Like in this case, TPB don't need to be certified to any real person or organization. They just need to have the fingerprint published well enough people will agree this is the real Pirate Bay(tm) and not some MITM attack. And don't forget that SSL, unsigned or not protects against an attacker that can only read and not write data.
They're technically correct, but.... (Score:2)
A self-signed certificate doesn't detract from the security, this is true. But a real certificate does place an (admittedly low) barrier to entry against fraudulent sites.
Windows has spent the last 15 years encouraging people to click away the dialogue box without reading it. Encouraging the use of self-signed certificates will lower this barrier to entry by encouraging people to think "ah, it's still secure so it's OK".
What are you protecting ? (Score:2)
It depends on two factors:
1. What are you protecting
and
2. Against whoom.
When you know the answer to those two questions, you will know the answer to your initial question,
Depends what you're signing (Score:2, Insightful)
For simple websites, why not, but for complex service-oriented systems, absolutely not as working around eronious certificates requires you deliberately code exceptions for.
Bad licences ultimately give you a bad testing environment, and seeing how SSL certs aren't expensive, I would say get SSL certs where possible.
Key distribution (Score:4, Informative)
Using self-signed certificates inside an enterprise is fine so long as all the clients have the certificate authority's public certificate installed. Key distribution mechanisms like group policy make it simple.
Sadly Firefox makes it less secure because it uses its own key store rather than the host operating system's, so users must manually import the certificate before attempting to visit an SSL-secured website.
What Are You Getting? (Score:4, Insightful)
The cynic in me believes that Firefox and IE are giving you all sorts of 'helpful' warnings these days, not to protect a user's security, but to push website developers into buying certificates.
Using certificates is about one thing - encrypted communication between browser A and server B. That's it. Certificates have never given you any guarantee as to the integrity of the site that you're visiting, and it gives no guarantee whatsoever of who you are talking to, as some people are stupidly claiming around here. To give a guarantee like that, further technology is needed.
As a rule of thumb, if you have a finite number of users logging into a system then a self-signed certificate is OK, and even preferable. If you have some kind of site where the users you can have can be anyone (shopping site for example), then it's preferable to buy a certificate - if nothing else, to keep people from getting infernal warnings popping up in their browser.
Re: (Score:3, Informative)
You should get a proper certificate signed by a CA. With a proper certificate, the end user's web browser can verify that your certificate did actually come from your web server, and not some other random computer pretending to be your web server.
The reason why browsers complain about self-signed SSL certificates is not because they are self-signed, it is because they cannot be verified as coming from your web server. If you set up your own root certificate and install it into your user's web browsers, then
Re: (Score:3, Insightful)
Using certificates is about one thing - encrypted communication between browser A and server B. That's it.
That is not correct.
Certificates have never given you any guarantee as to the integrity of the site
Correct.
it gives no guarantee whatsoever of who you are talking to, as some people are stupidly claiming around here.
Actually, that is the ONLY reason certificates exist.
You do not need a certificate to encrypt communication.
Certificates are an identity authentication tool.
Obviously it cannot ensure that it is Fred on the other end of the line. It only ensures that it is a computer with Fred's key. It is up to Fred to keep people from stealing his key and impersonating him.
If you are considering using SSL on your new website I suggest you go and read up on it.
Re: (Score:3, Insightful)
No they aren't. Also, there is no point in encrypting between A and B if A and B have no idea who each other are. A or B could in fact be one of the very people you're using encryption to protect your communications from. You have no idea.
Better than the alternative (Score:2)
The alternative to accepting individual certificates, is for 'Hypothetical Piracy Enablers' HPE to create their own CA, and for you to accept their CA certificate as a trusted signer.
There's nothing technically difficult about becoming a CA. OpenSSL can handle the bit-twiddling aspect with no problem. The hard bit about being a CA is all the authentication that's supposedly done before signing a certificate, and the risk and liability responsibilities taken on.
It sounds very convenient to accept HPE's CA ce
Trouble is, SSL does two things and users are dumb (Score:5, Insightful)
To compensate, browsers have ratcheted up the warnings given about self-signed certs to extreme levels, making them essentially useless for any site or service catering to the general public. This, then, creates a demand for cheap certs, which leads to shoddy verification, which defeats the purpose, which leads to E.V. certs, which are what certs are supposed to have been all along, only more expensive and with a snazzy green bar that nobody understands. Fan-Fricken-tastic.
What we really need is a clear distinction between "identity" certs and "stability" certs. Identity certs would essentially cover cases where trust in a given entity is a function of official verification; e.g. when I walk into a bank, my level of trust is based on the legal status of the bank, is it an FDIC member, where is it incorporated, are its financial data properly disclosed, etc. In this case, an assigned SSL cert is just one more official aspect of the entity.
The stability cert is different. It maps roughly onto the class of interactions that are based on reputation and patterns of behavior. You don't trust your best friend because you've checked his official ID, and you know that he is who he says he is, you trust him because you have been able to observe his behavior and interactions over a period of time. For this case, you don't need an SSL cert that is tied to a real world name, you need one that shows continuity over time. For example, knowing my real name would be of essentially no use in deciding whether or not to trust something I say in a post. Knowing that I am the same fuzzyfuzzyfungus who has posted in the past allows you to read my old posts and decide if I am reliable or not.
The solution to this need is not CAs in the classic sense, that verify identity then hand out a cert; but public repositories wherein people can deposit self-signed certs at a certain point in time and have that event on file, among a number of repositories, for anybody who asks. Then, if you go to my website, you can look at my cert and, rather then getting something useless like "certificate for foo-barr.org was issued to Mr. foo barr by Verisign", you can see "foo-barr.org has operated under the same entity's certificate for x years." From this, you could then judge the entity based on their last x years of activity.
The trouble with this notion is that it would require a subtler set of distinctions than the current setup, which people are, on the whole, already uselessly befuddled by. Oh well.
Possibly advantage of a CA (Score:2)
If a large number of people complain that a company is not who it claims to be or a certificate is compromised the CA can potentially blacklist the certificate.
I guess this is a potential advantage of a CA, even though they are generally pretty useless.
Man in the middle (Score:2)
Signed certificates provide exactly one additional protection versus no certificate at all: sessions so protected are not vulnerable to a man in the middle attack. With a self-signed certificate, someone in the middle can create a new self-signed certificate, decrypt and log your communications and then re-encrypt them with the site's real certificate. As the user, you won't know because it all looks the same to you.
That having been said, SSL with a self-signed certificate is MUCH more secure than no encryp
True Story (Score:5, Interesting)
While at DEFCON working the Wall of Sheep one year we discovered that someone had setup a WEB site on the network to bet on the outcomes of the hacking contest - they used a self signed SSL cert. Now some people, being paranoid on a VERY hostile network, turned down this certificate and promptly created\used the WEB site sans SSL - exposing their creds clear text. We promptly snarfed these and posted them on The Wall. 0wned!
All they had to do was accept the cert and they would have been protected. But I guess since seeing that pop-up was out of the ordinary and being on a network that was so nasty they thought they would play it safe and say NO, how stupid....
Yes, a self-signed certificate is just a secure (Score:5, Informative)
Using a public CA like Verisign buys you is that since their public CA certificates are already distributed in browsers, any certificate issued by them should just work. Oh, and make sure the host name matches the common name.
RTFWP or just search ... PLEASE! (Score:3, Interesting)
Applied Security Technology will always meet the expectations of experience.
http://en.wikipedia.org/wiki/Pretty_Good_Privacy [wikipedia.org]
http://en.wikipedia.org/wiki/OpenPGP#OpenPGP [wikipedia.org]
http://en.wikipedia.org/wiki/Public_key_infrastructure [wikipedia.org]
http://en.wikipedia.org/wiki/Certificate_authority [wikipedia.org]
http://en.wikipedia.org/wiki/Philip_Zimmermann [wikipedia.org]
http://en.wikipedia.org/wiki/Secure_Sockets_Layer [wikipedia.org]
http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail [wikipedia.org]
http://en.wikipedia.org/wiki/Hardware_token [wikipedia.org]
http://en.wikipedia.org/wiki/Biometric_authentication [wikipedia.org]
https://www2.sans.org/reading_room/ [sans.org]
http://www.giac.org/certified_professionals/practicals/gsec/4993.php [giac.org]
http://www.giac.org/certified_professionals/ [giac.org]
http://www.linkmatrix.de/index.php?education=home [linkmatrix.de]
http://www.linkmatrix.de/tutorials.php?q=PGP [linkmatrix.de]
Those that can DO, read. Those who can read, but not DO, preach.
Readers, fakers, and test-takers always manage to fail.
Hands-On experience and continuous-learners always work for tale (or is that rep).
To many PGP/PKI/CA/TSL... comments are cross-BS technology application comments. Only in politics does mixed pieces of BS function properly or as expected.
In technology as in science it either does, or it don't do. There is working properly or working poorly (with a problem) until troubleshot and fixed. If it never worked or ain't working at all (cannot be made to function fully and consistently as expected) then someone fycked-up bad (miss-applied technology application) perhaps the brown-nose wannabe manager that can only read made a decision.
Works for me (Score:3, Interesting)
Self-signed certificates work great, provided you require users to install your CA certificate as one of the trusted certs in their browser.
We make our CA certificate available at a simple url (https://www.example.org/ca/) that uses a commercial certificate signed by a "real" CA, and provides an explanation and instructions on how to install our cert. Installation is straightforward in IE and Firefox, a little trickier in Safari.
Once our CA certificate is in the browser's trusted list, all of the other certs are trusted as well. The only thing to watch out for at that point is name mismatch issues caused by domain aliases and the like.
We considered publishing our certificate thumbprints, too, but that just seemed too paranoid.
Under separate cover (Score:2)
The process for adding a trusted root authority in [IE 7 or Firefox 3] is not particularly user friendly.
Really? In Firefox 2, the process was as follows:
What part of this process significantly changed from Firefox 2 to Firefox 3?
Re:Just provide the checksum for your certificate (Score:2)
Anyone capable of implementing the man-in-the-middle attack that signed certificates protect you against is also capable of modifying you web pages in flight so that the checksum the user sees matches the certificate they created.