Domain: sm-zone.net
Stories and comments across the archive that link to sm-zone.net.
Comments · 10
-
Re:Apparently, applets only
The craziest thing is that the kinds of device I'm thinking of are typically used by the IT guys in large organisations.
Most medium to large IT shops run their own Certificate Authority that is only trusted within the organization.
One can sign unlimited keys this way, as well as avoid the age limits the public CAs cap you at.
Windows networks have a GUI for this, so the process only takes a couple minutes.
Unix networks use openssl, which I admit takes a bit of learning to use if it isn't something you do regularly.
Personally I use TinyCA as a GUI front end instead.For one thing, signing a Java applet proves exactly nothing about how trustworthy it is. You can easily get a signing certificate by spending a small amount of money and waiting a small amount of time. The whole concept of granting increased permissions to untrusted software just because it's been signed is absurd.
Two things in reply to this part.
1)
GlobalSign.com has a free code signing tool.
(Likewise, OpenSSL offers free class-1 certificates for your web server)
Both are major public CAs trusted by default. Even a small amount of money is not much of a problem.2)
Your comment about proving trust is part right, but part wrong.What cert and code signing actually does is prove the apps/servers in question is linked to a particular private key.
Only saying "that key is that person/organization" is not proven or a given.So it is still useful to know if future apps/servers are from the same source, and on a much lower level showing what org claims to be that source.
In other words, if you make and put up an app signed by your private key, then later you make and put out some other app signed with the same key, then PKI has just proved both apps came from the same source.
If I downloaded those apps from your website, and your name is in the readme, then it is safe to assume any apps signed with that key are yours.
I can then choose to trust those apps based off my level of trust for you.If you make awesome apps, that trust will go up.
If you put out some infected app, or otherwise damaging software, that trust will go down.But you are perfectly correct about PKI not proving anything regarding if you actually want to run that code or not. And this is a poor metric to be modifying Java to make such a choice on.
In the above example, you can just make a new private key to use, and it might take a bit before anyone notices the two keys are the same person and thus apply their trust rules accordingly.That is the main reason a black list method will never work, only a white list method.
If I white-list the key your first app used because I trust it and you, then that trust will apply to your other apps too.
But if I black-list your key because I don't trust you, that is useless since you can generate unlimited private keys (and even one key per app, if you are trying to avoid black lists ;)That's why Java blacklisting things (aka things not signed by a CA) is pretty pointless.
-
Re:Correct
I've found a decent way to handle self-signed certs is to run your own certificate authority.
For Linux a great app I use is TinyCA
Windows Server 2003 has a module built in to do this, in a limited windows way. I can only assume 2008 server has it too.If you sign all your self-signed certs with one private CA key, you only need to import a single public CA key to your browser, and makes things a lot easier.
Under a windows domain, you can even push that public CA key to IE automatically.
My work domain has one for all of our internal webapp tools and webservers, and my home network has one for the same.
I also run a nice sized IRC network which uses a round-robbin DNS setup, so letting users import a single CA key makes auto-reconnecting easier without having to accept a new cert each time you land on a new random server.
I too only recently came across startssl.com, only about a year ago.
Their certs seem fairly well supported in the recent common browsers, though they weren't listed in mIRC last I checked.Still, sometimes its just easier to handle the signing process yourself than going through startssl (or any other CA for that matter)
My only wish was for an app like TinyCA designed for use on a plain windows workstation.
There used to be a bootable knoppix image with TinyCA on it designed to work off an encrypted usb disk, but sadly the link seems dead.
For most of us here however, setting up a live usb based linux install just for tinyCA, or even something in virtualbox, shouldn't be too hard to make.
I just wish they made it easier for more people to do. -
Re:Private Certificate Authority
Not only that, but if you're don't feel like using using the OpenSSL command line, you could always use a GUI front-end like TinyCA to make life easier. On Ubuntu, it's available prepackaged.
-
Re:Private Certificate Authority
TinyCA2 is rather easy to use.
-
Re:Really now.
It really shouldn't. If they're remotely competent (okay, I know that's asking a lot), they'll have set up their own mini CA with something like TinyCA and have installed that CA's cert in the browser's CA list. If you're using truly self-signed certs rather than certs issued by your own mini CA, you're retarded.
-
Re:Self-signed CertsI'm late to this, but maybe you get a response notification.
Check out TinyCA, at http://tinyca.sm-zone.net/. It is a GUI to ease certificate creation and management.
-
OpenVPN all the way!
-
Re:other PKI options
I just implemented our company's PKI* with TinyCA. It's a handy little front-end to OpenSSL that generates certificates and signs requests, etc. We are a small business, and I have been looking for a program like this for a long time (I was actually about to write my own). My root is not signed, as the certificates are just installed on sites for internal use, but theres no reason it wouldn't work with signed roots.
There is actually a knoppix-based live-cd distro called roCA that runs tinyCA that is designed to store the certificates on a USB thumb drive. The idea is that you lock up the CD and thumb drive. A bit easier than an entire laptop..
* I'm not really sure this is an all-out "PKI" system in the "enterprise" sense of the word. As I'm not a security expert -- just an IT guy that needed an easy way to manage certificates -- I don't really understand the buzzword-laden PKI industry, that seems to have lots of companies that sell PKI management software without really explaining what exactly they do. -
Re:Don't use self-signed certs.
Disabling certificate validation is silly. There is no reason to do it.
Running your own, small-scale Certificate Authority takes about 10 minutes of your time and is vastly more secure than bypassing certificate validation. There's no need to pay anyone, you simply ensure that your clients have your CA certificate installed.
TinyCA is very easy to use.
-
use your own CA for your backend servers
You might need a certificate signed by a well known CA for your connections from the internet, but for all your backend server you can create your own CA. This will enable you to use a full strenght 1024/128 bit sll for nothing. There is a project called tinyca which enables you to create and signed certificates with your inhouse CA. So you create a CA for your company and add the CA to all your backend server. Once this is done, any certificate signed by your CA will be valid and fully secured.
I have tested it for Apache and Weblogic and Websphere and they work very well.