[ntp:questions] Re: 4.2.1-RC

Per Hedeland per at hedeland.org
Sat Mar 25 10:01:03 UTC 2006


In article <T1143246254 at djwhome.demon.co.uk> david at djwhome.demon.co.uk
(David Woolley) writes:
>In article <slrne27vp4.5u2.kostecke at stasis.kostecke.net>,
>Steve Kostecke <kostecke at ntp.isc.org> wrote:
>
>> We are using a self-signed SSL certificate.
>
>Which means that you have little more security than if you weren't using
>one at all (note although SSL can negotiate no authentication, I don't
>think that normal browsers or servers permit that - that's because an
>unauthenticated connection is basically insecure!).

Absolutely - and where is the need for this imagined security on a
public bug-reporting system anyway? (It seems to be something of a trend
in that particular area.)

>> Most people choose accept this certificate
>
>Most people don't understand the purpose of certificates.  They think
>they are used and needed for encryption, whereas encryption is perfectly
>possible with a purely transient public key, but is vulnerable to a
>man in the middle attack.  If they did understand them, they would be
>cautious of using the many e-commerce sites whose certificates don't
>match the business they think they are dealing with.  (One can probably
>trust Worldpay to authenticate their merchants, but many certificates are
>for unknown web hosting companies.)

The really bad part about using these unverifiable certificates is that
"most people" get conditioned into believing that a certificate warning
is a perfectly normal thing, just click OK and go ahead. Of course many
"most people" click OK on any and all popups without even reading the
message, but why make things worse?

>>                                            (hopefully after examining
>> it).
>
>Anyone examining it should realise that, unless they take steps to
>authenticate the certificate by other means (a notorised paper copy of
>the fingerprint?), they could actually be talking to almost anyone.
>You look at certificates to see if you trust the counter-signatory,
>and to see if the subject name matches the organisation it purports to
>belong to well enough that no-one except that organisation could have
>convinced the counter-signatory to counter sign it.

But there is obviously no way to establish that the claimed
counter-signatory isn't totally faked by just looking at the certificate
(or even "examining" it). Anyone can produce certificates that have
Verisign or whatever as the Issuer DN - only after (programmatically)
verifying the signature of the certificate against a trusted CA
certificate from the Issuer does the text string in the certificate have
any significance at all.

So the only thing that can be achieved by "examining" a self-signed
certificate like this is the realization that it can't be trusted, which
is just what the browser popup told you in the first place.

--Per Hedeland
per at hedeland.org




More information about the questions mailing list