| View previous topic :: View next topic |
| Author |
Message |
padukes
Apprentice
Joined: 27 Feb 2003
Posts: 232
|
 Posted: Mon Feb 28, 2005 8:41 pm Post subject: Is this a security hole? [solved] |
 |
|
Hey All,
I signed my own cert for my webserver. I understand that browsers will still not trust my site unless my cert is installed as a root authority on the users' web browsers. So, is there any reason not to post my cert publicly - something like: www.mysite.com/mycert.crt. - My understanding is that a cert is just a public key and as long as I keep my private key safe - no one can use my cert to falsify their website - is this true? What if I signed my cert with a key that doesn't have a pass code - that's still the same, right?
Thanks all,
P
Last edited by padukes on Tue Mar 01, 2005 2:41 am; edited 1 time in total |
|
| Back to top |
|
 |
shadow255
Guru
Joined: 04 Apr 2003
Posts: 412
|
| Posted: Tue Mar 01, 2005 12:02 am Post subject: |
|
|
From the standpoint of someone deciding whether to trust your certificate, your proposed method of self-certifying fails to inspire trust. Public key infrastructure is designed to enable third parties to use certificates in such a way that the public key can be retrieved from a repository that is generally known to be worthy of trust. It also makes what is known as the "man-in-the-middle" attack more difficult to achieve. Hosting your public key on the site your visitors need to validate fails to protect against such things, makes for a single point of failure in the web of trust and generally won't result in people trusting your site.
_________________
Vogon poetry is of course the third worst in the Universe. -- Douglas Adams, The Hitchhiker's Guide to the Galaxy |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Tue Mar 01, 2005 12:36 am Post subject: |
|
|
Have a look at http://cert.startcom.org/ - they are offering cerficates for free...  |
|
| Back to top |
|
|
kopfsalat
Apprentice
Joined: 01 Dec 2003
Posts: 181
Location: Cologne, Germany
|
| Posted: Tue Mar 01, 2005 1:00 am Post subject: |
|
|
As the previous poster pointed out your self-signed certificate is only as trustworthy as you are. That's ok for use with your friends or on an intranet (visitors can knock at your door or give you a call), but on a public web shop for example it probably won't cut it.
You can send your public key whoever you want to. It's public. It's used to encrypt messages, so only you can decrypt them with your private key.
Same applies to certificates as they simply contain your public key with some extra information like duration and what the certificate applies to, signed with the private key of the CA (certification authority). The signature can be verified by everyone using the public key of the CA.
Because yours is self-signed it's like saying "trust my site because I say so and I'm trustworthy"
The optional password protection for the private key offers some extra protection as your private key is then encrypted with that password as a key. But as long as your private key is not accessible to anyone you don't need it.
Hope that kind of explains it. |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Tue Mar 01, 2005 1:12 am Post subject: |
|
|
| Well, the purpose of self-signed certificates is to use them to encrypt communication, not to establish trust. They are not useless, they rather have a different purpose. |
|
| Back to top |
|
|
padukes
Apprentice
Joined: 27 Feb 2003
Posts: 232
|
| Posted: Tue Mar 01, 2005 2:40 am Post subject: |
|
|
Hey all,
Thanks for the advice - my cert is mainly for private consumption - so I'm not so worried about people trusting me. I was more concerned about someone being able to attack me or impersonate me because they had access to my cert.
Thanks again,
P |
|
| Back to top |
|
|
|
Networking & Security
