[ntp:questions] Re: 4.2.1-RC

David Woolley david at djwhome.demon.co.uk
Sat Mar 25 00:24:20 UTC 2006


In article <slrne27vp4.5u2.kostecke at stasis.kostecke.net>,
Steve Kostecke <kostecke at ntp.isc.org> wrote:

> We are using a self-signed SSL certificate.

Which means that you have little more security than if you weren't using
one at all (note although SSL can negotiate no authentication, I don't
think that normal browsers or servers permit that - that's because an
unauthenticated connection is basically insecure!).

> Most people choose accept this certificate

Most people don't understand the purpose of certificates.  They think
they are used and needed for encryption, whereas encryption is perfectly
possible with a purely transient public key, but is vulnerable to a
man in the middle attack.  If they did understand them, they would be
cautious of using the many e-commerce sites whose certificates don't
match the business they think they are dealing with.  (One can probably
trust Worldpay to authenticate their merchants, but many certificates are
for unknown web hosting companies.)

Some will have made a conscious decision that either a man in the middle
attack isn't likely or that they don't think the site needs encryption.

Even fewer will have made that decision first time, then saved the
certificate, so that any man in the middle attack would have to be long
term for it not to become exposed.

>                                            (hopefully after examining
> it).

Anyone examining it should realise that, unless they take steps to
authenticate the certificate by other means (a notorised paper copy of
the fingerprint?), they could actually be talking to almost anyone.
You look at certificates to see if you trust the counter-signatory,
and to see if the subject name matches the organisation it purports to
belong to well enough that no-one except that organisation could have
convinced the counter-signatory to counter sign it.

The legitimate use of self signed certificates is where there is 
another means used to distribute the certificate to the client, e.g.
for Verisign, it comes with the browser, for a company's internal server,
it's placed on the PCs by the IT department, or for a software support
site, it came with the original software disk.




More information about the questions mailing list