Jump to content

SSL Certificates

ssmithisme

By ssmithisme
in Everything Else

 Share

Recommended Posts

Sparda Newbie

Sparda

Posted
Posted

http://www.akadia.com/services/ssh_test_certificate.html

Using a self signed cert will make every browser prompt the user with "Are you sure you want to do this?". In addition to this, the security gain is questionable as self signed certs are vulnerable to MITM attacks.

They are only properly useful for internal use (where the CA is deployed to every computer) and also testing that some thing works over SSL before buying a proper cert.

Link to comment
Share on other sites
Oneiroi Newbie

Oneiroi

Posted
Posted
http://www.akadia.com/services/ssh_test_certificate.html

Using a self signed cert will make every browser prompt the user with "Are you sure you want to do this?". In addition to this, the security gain is questionable as self signed certs are vulnerable to MITM attacks.

They are only properly useful for internal use (where the CA is deployed to every computer) and also testing that some thing works over SSL before buying a proper cert.

That said self signed certs are useful when you do not need a 'client facing' ssl secured page, i.e. a web service, as PHP has a major problem verifying SSL certs most developers choose to disable this check, I would only use this in the case where you want network level security (SSL encryption of transmitted data, PCI compliance etc ...)

Again this doesn't stop the MITM attacks, an additional step is to lockdown the access by IP address and even the device MAC, but then these too can be circumvented, it depends what you are trying to achieve.

If it is just a web service between two servers, an SSH SOCKS tunnel to the server running the webservice, which is then locked down to only allow access to localhost using htaccess, would be a way to secure this.

Anyway This is going off at a tangent, just some food for thought.

Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted

Well no, they can just use there own certificate in a MITM attack since it would be as genuine as the one you made. Unless the browser knows about your CA, the attackers CA (probably using the same name) will look the same to the end user.

Link to comment
Share on other sites
ssmithisme Newbie

ssmithisme

Posted
  • Author
Posted
Well no, they can just use there own certificate in a MITM attack since it would be as genuine as the one you made. Unless the browser knows about your CA, the attackers CA (probably using the same name) will look the same to the end user.

Oh yea. now I remember. lol. just has a brain fart.

Link to comment
Share on other sites
ssmithisme Newbie

ssmithisme

Posted
  • Author
Posted
Because they don't want to buy the certificates? Because they are lazy and don't want to sign them (they are probably a CA)?

yea, I edited that part out of the post as soon as you saw it I geuss. lol

But that tutorial looks pretty straight forward. Im gonna give it a go.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...