Slashdot Mirror

← Back to Stories (view on slashdot.org)

When Is a Self-Signed SSL Certificate Acceptable?

Posted by kdawson on from the how-about-never-is-never-good-for-you dept.

UltraLoser writes "When is it acceptable to encourage users to accept a self-signed SSL cert? Recently the staff of a certain Web site turned on optional SSL with a self-signed and domain-mismatched certificate for its users and encourages them to add an exception for this certificate. Their defense is that it is just as secure as one signed by a commercial CA; and because their site exists for the distribution of copyrighted material the staff do not want to have their personal information in the hands of a CA. In their situation is it acceptable to encourage users to trust this certificate or is this giving users a false sense of security?"

4 of 627 comments (clear)

  1. Re:Always. by bpkiwi · · Score: 5, Interesting

    My bank txts a one time authentication code to my phone for any transaction that involves money leaving my accounts (transfers, setting up direct debits, etc). I've always considered it an elegant solution, not foolproof, but few systems are.

  2. True Story by BLKMGK · · Score: 5, Interesting

    While at DEFCON working the Wall of Sheep one year we discovered that someone had setup a WEB site on the network to bet on the outcomes of the hacking contest - they used a self signed SSL cert. Now some people, being paranoid on a VERY hostile network, turned down this certificate and promptly created\used the WEB site sans SSL - exposing their creds clear text. We promptly snarfed these and posted them on The Wall. 0wned!

    All they had to do was accept the cert and they would have been protected. But I guess since seeing that pop-up was out of the ordinary and being on a network that was so nasty they thought they would play it safe and say NO, how stupid....

    --
    Build it, Drive it, Improve it! Hybridz.org
  3. Re:Always. by jamesh · · Score: 4, Interesting

    1) SSL certificates do get issued to phishing sites

    I figured that would probably happen, but i'd never actually seen it. I don't make a habit of deliberately visiting phishing sites though.

    2) Some banks have login forms on un-encrypted pages

    I've not seen a bank do it, but these guys do, which I think is just insane, especially seeing as in all other respects (apart from price) they are an excellent domain registrar. Click the login link in the top left and you'll be presented with a non-https page with a username and password on it. I've emailed them about it but they just don't get it. Idiots.

    I've stopped using MelbourneIT for new registrations on that basis. I suggest you do the same.

  4. Re:Always. by darthflo · · Score: 4, Interesting

    There's one problem:
    Wachovia tells their users to enter their credentials on the unsecured front page, which then submits to a secure script processing said credentials.
    What you might be forgetting: What if I set up interception on my shared WiFi (or somewhere at the backbone of the hypothetical ISP I might be working for) to grab all HTTP requests for / going to r3wec01.wachovia.com and add a tiny bit of JavaScript that, in addition to the page working as it usually does, posts all keypresses to a script of my choosing?
    Without access to WB's certificate, I couldn't do that on a properly secured HTTPS site. Thanks to unencrypted HTTP, it's pretty trivial.