When Is a Self-Signed SSL Certificate Acceptable?

UltraLoser writes "When is it acceptable to encourage users to accept a self-signed SSL cert? Recently the staff of a certain Web site turned on optional SSL with a self-signed and domain-mismatched certificate for its users and encourages them to add an exception for this certificate. Their defense is that it is just as secure as one signed by a commercial CA; and because their site exists for the distribution of copyrighted material the staff do not want to have their personal information in the hands of a CA. In their situation is it acceptable to encourage users to trust this certificate or is this giving users a false sense of security?"

Always.

[fyngyrz]

SSL certificates provide one thing, and one thing only: Encryption between the two ends using the certificate.

They do not, and never been able to, provide any verification of who is on either end. This is because literally one second after they are issued, regardless of the level of effort that goes into validating who is doing the buying, someone else can be in control of the certificate, legitimately or otherwise.

Now, I understand perfectly well that Verisign and its brethren have made a huge industry out of scamming consumers into thinking that identification is indeed something that a certificate provides; but that is marketing illusion and nothing more. Hokum and hand-waving.

Re:Always.

[squiggleslash]

SSL certificates perform two functions: they verify the credentials of the website you're connecting to, and they provide a secure key for communications between the webserver and you. The reason we combine the two into one certificate is to make man-in-the-middle attacks more difficult. As you suggest, there are ways to compromise the SSL system, however they require you attack in one of four specific places:

1. You compromise the web browser, providing a bogus list of authorities. Your web browser maker becomes liable in that instance.
2. You compromise the SSL certificate authority, creating a bogus certificate signed by the CA. In this instance, the authority is liable
3. You compromise the certificate holder, stealing the legitimate private certificate and redirecting traffic to and from their servers to your own (or hacking into their website to transfer the information to you.) In this case, the holder is liable
4. You compromise the user's PC, patching the web-browser to accept bogus credentials. In this case the user is at fault

At this point it should be obvious what the SSL certificate system provides you with, which is a clear chain of responsibility for breaches in security. Simply sticking a box between a client victim and server victim is not enough, you have to actively compromise one of the four groups above in order to spy on secured traffic. This creates incentives for each group to keep their part of the chain of accountability secure, and it ensures there's a starting point should there be a breach anyway.

Given the difficulty of sending legitimate certificates directly to participants on a mass scale, the CA system is about as secure as we're going to get, and while it's not perfect, that's not a legitimate reason to treat it equally with unsigned certificates. The chain of accountability makes a difference in terms of how you can recover from security breaches, and the likelihood of there being a breach in the first place.

Re:Always.

[the_womble]

I doubt that precise attack has been used, but:

1) SSL certificates do get issued to phishing sites
2) Some banks have login forms on un-encrypted pages

see: http://news.netcraft.com/archives/2005/12/28/more_than_450_phishing_attacks_used_ssl_in_2005.html and http://it.slashdot.org/article.pl?sid=06/02/13/2143251

Re:Always.

[hal9000(jr)]

Can you cite any examples of a case where a certificate has been subverted in this way?

Yes. Back in 2001, Verisign issued 3 code signing certificates to people impersonating Microsoft employees.

As others I am sure have already said, the strength of the identity verification is solely based on how the verification is done.

Trivial question - how about the math answer ?

[OeLeWaPpErKe]

Self-signed certificates are acceptable if you can spread the root public key *yourself* in a secure manner.

Simple, no ?

In any exchange between 2 known parties for example, it is *always* preferable to have self-signed certificates.

Tons of them

[evilpenguin]

I find a self-signed certificate is useful on many occasions. I use it for my own squirrelmail service. I have set them up for "extranet" applications for small business clients.

This is just fine. I give them a hard copy of the key signature and tell them to verify it before the accept it.

Someone above says the a CA adds nothing. I don't agree with that. They add identity verification *to the extent* that site visitors actually *read* the certificates and evaluate their level of trust in the CA.

Quick: Tell me right now how many CAs are in your browser's trusted certs list. Now tell me where that list came from. Tell me why you trust it.

In other words, the signed certificate system can provide excellent security, but most of us simply trust our browsers when they don't complain. That isn't security. You really should check certificates every time. View the details, check the signatures, verify the integrity of your trusted CA list. But who bothers?

So while I don't agree that CA signed certs "add nothing," I do agree that hardly any users (including me who theoretically knows better) do their due diligence that would make that system truly work.

Firefox 3

[Trogre]

I've noticed that Firefox 3 is much less forgiving of self-signed certs than other browsers. There's a lot more hoops that one has to jump through to get a page to load.

I've found it rather annoying, since all our internal web applications are served via SSL.

Re:Firefox 3

[Rovaani]

Can't you just generate your own root certificate, use it to sign all the web-app certs and then distribute your own root certificate to all the employees?

Re:hipotesis

[slim]

Infact, having a third party signing your certificate potentially reduces it's security, since they are now in possession of the certificate too, and have likely transmitted it to you via plain text email.

HUH?

There is nothing whatsoever that is confidential in an X.509 certificate.

It is a chunk of bytes that says "Public key P corresponds to identity I, according to authority A", and it contains a signature created using A's private key, which ANYONE can check using A's public key.

During the whole request and issue process, the secret bit -- I's private key, never leaves I's possession.

The certificate could be printed in the New York Times, with no loss of security.