Slashdot Mirror

← Back to Stories (view on slashdot.org)

When Is a Self-Signed SSL Certificate Acceptable?

Posted by kdawson on from the how-about-never-is-never-good-for-you dept.

UltraLoser writes "When is it acceptable to encourage users to accept a self-signed SSL cert? Recently the staff of a certain Web site turned on optional SSL with a self-signed and domain-mismatched certificate for its users and encourages them to add an exception for this certificate. Their defense is that it is just as secure as one signed by a commercial CA; and because their site exists for the distribution of copyrighted material the staff do not want to have their personal information in the hands of a CA. In their situation is it acceptable to encourage users to trust this certificate or is this giving users a false sense of security?"

28 of 627 comments (clear)

  1. Always. by fyngyrz · · Score: 5, Informative

    SSL certificates provide one thing, and one thing only: Encryption between the two ends using the certificate.

    They do not, and never been able to, provide any verification of who is on either end. This is because literally one second after they are issued, regardless of the level of effort that goes into validating who is doing the buying, someone else can be in control of the certificate, legitimately or otherwise.

    Now, I understand perfectly well that Verisign and its brethren have made a huge industry out of scamming consumers into thinking that identification is indeed something that a certificate provides; but that is marketing illusion and nothing more. Hokum and hand-waving.

    --
    I've fallen off your lawn, and I can't get up.
    1. Re:Always. by jamesh · · Score: 5, Insightful

      Can you cite any examples of a case where a certificate has been subverted in this way?

      And while you are on your soapbox, what is the alternative? By what other method do you suggest that I prove to my satisfaction that when I go to www.mybank.com.au that I am actually at mybank's website, and that a dns record somewhere hasn't been subverted and I am instead entering my login details to a phishing site made up to look exactly like my bank?

      I'm pretty sure you are talking out of your arse. Unless you can cite some examples of a big name company (eg a major bank) having had their certificate subverted in this way, and not having said certificate revoked almost immediately, i'll stick with what works thanks.

    2. Re:Always. by jolyonr · · Score: 5, Insightful

      I totally agree - The internet would be FAR more secure if there was a way of using self-signed certificates without browser warnings.

      But the certificate vendors have a licence to print money and abuse it horrifically.

      For example, a certificate for a domain www.example.com costs a fraction of what a certificate for a wildcard *.example.com would cost. What extra work do they have to do for that extra money?

      ALL sites would be more secure with a self-signed certificate than plain HTTP. But self-signed certificates scare the crap out of visitors with their alarmist warnings. If anything, the warnings should be shown on plain HTTP sites saying "Watch out! This isn't encrypted".

      So. I say get rid of the self-signed warnings from all browsers, they do far more harm than good. Instead, make it clear on the browser with colouring, icons, whatever, whether the site has a verified certificate from a CA, or it does not (in the case of self-certs or HTTP).

      Jolyon

      --


      Please read my Canon EOS tech blog at http://www.everyothershot.com
    3. Re:Always. by squiggleslash · · Score: 5, Informative

      SSL certificates perform two functions: they verify the credentials of the website you're connecting to, and they provide a secure key for communications between the webserver and you. The reason we combine the two into one certificate is to make man-in-the-middle attacks more difficult. As you suggest, there are ways to compromise the SSL system, however they require you attack in one of four specific places:

      1. You compromise the web browser, providing a bogus list of authorities. Your web browser maker becomes liable in that instance.
      2. You compromise the SSL certificate authority, creating a bogus certificate signed by the CA. In this instance, the authority is liable
      3. You compromise the certificate holder, stealing the legitimate private certificate and redirecting traffic to and from their servers to your own (or hacking into their website to transfer the information to you.) In this case, the holder is liable
      4. You compromise the user's PC, patching the web-browser to accept bogus credentials. In this case the user is at fault

      At this point it should be obvious what the SSL certificate system provides you with, which is a clear chain of responsibility for breaches in security. Simply sticking a box between a client victim and server victim is not enough, you have to actively compromise one of the four groups above in order to spy on secured traffic. This creates incentives for each group to keep their part of the chain of accountability secure, and it ensures there's a starting point should there be a breach anyway.

      Given the difficulty of sending legitimate certificates directly to participants on a mass scale, the CA system is about as secure as we're going to get, and while it's not perfect, that's not a legitimate reason to treat it equally with unsigned certificates. The chain of accountability makes a difference in terms of how you can recover from security breaches, and the likelihood of there being a breach in the first place.

      --
      You are not alone. This is not normal. None of this is normal.
    4. Re:Always. by the_womble · · Score: 5, Informative
      I doubt that precise attack has been used, but:

      1) SSL certificates do get issued to phishing sites
      2) Some banks have login forms on un-encrypted pages

      see: http://news.netcraft.com/archives/2005/12/28/more_than_450_phishing_attacks_used_ssl_in_2005.html and http://it.slashdot.org/article.pl?sid=06/02/13/2143251

    5. Re:Always. by bpkiwi · · Score: 5, Interesting

      My bank txts a one time authentication code to my phone for any transaction that involves money leaving my accounts (transfers, setting up direct debits, etc). I've always considered it an elegant solution, not foolproof, but few systems are.

    6. Re:Always. by jamesh · · Score: 4, Interesting

      1) SSL certificates do get issued to phishing sites

      I figured that would probably happen, but i'd never actually seen it. I don't make a habit of deliberately visiting phishing sites though.

      2) Some banks have login forms on un-encrypted pages

      I've not seen a bank do it, but these guys do, which I think is just insane, especially seeing as in all other respects (apart from price) they are an excellent domain registrar. Click the login link in the top left and you'll be presented with a non-https page with a username and password on it. I've emailed them about it but they just don't get it. Idiots.

      I've stopped using MelbourneIT for new registrations on that basis. I suggest you do the same.

    7. Re:Always. by fyngyrz · · Score: 4, Informative

      You are Alice. You want to talk to Bob's website: www.example.com

      I'm Evel - and I have hacked Alice's computer, compromising anything I need to, from her certificate collection to her browser to her hosts file or all of the above.

      Alice ->[her browser hums a happy song] home network -> Evel [collects her CC info, etc., moves to island with hot chicks and rum drinks.] Mind you a keylogger would be enough, but just for fun...

      Alice is not safe from attacks. Not with a certificate, and not without one. End of story.

      However: If Alice talks to a legitimate merchant, and no one has hacked anything, then the conversation between her and the other end is very difficult to break into, moreso than her computer, I might add. Which is the same advantage you would have had with self-signed certificates. The ONLY time you're safe is when you've not been hacked. To say that because ONE hack has been deterred -- the MITM attack -- the user should feel safe... I'm not buying it. It is as meaningless as saying you're safe because one out of a thousand vulnerabilities in your browser have been patched. You're not safe until there are no vulnerabilities; consequently, you're not safe. Period.

      --
      I've fallen off your lawn, and I can't get up.
    8. Re:Always. by hal9000(jr) · · Score: 5, Informative

      Can you cite any examples of a case where a certificate has been subverted in this way?

      Yes. Back in 2001, Verisign issued 3 code signing certificates to people impersonating Microsoft employees.

      As others I am sure have already said, the strength of the identity verification is solely based on how the verification is done.
    9. Re:Always. by darthflo · · Score: 4, Interesting

      There's one problem:
      Wachovia tells their users to enter their credentials on the unsecured front page, which then submits to a secure script processing said credentials.
      What you might be forgetting: What if I set up interception on my shared WiFi (or somewhere at the backbone of the hypothetical ISP I might be working for) to grab all HTTP requests for / going to r3wec01.wachovia.com and add a tiny bit of JavaScript that, in addition to the page working as it usually does, posts all keypresses to a script of my choosing?
      Without access to WB's certificate, I couldn't do that on a properly secured HTTPS site. Thanks to unencrypted HTTP, it's pretty trivial.

    10. Re:Always. by Matje · · Score: 4, Insightful

      no no no, really you don't understand. Since the login page is not encrypted, it may have been changed during transfer to your browser. You'll be sending your user credentials to the evil MITM.

      See? since you can't trust the login page it doesn't matter that your username & password are sent using SSL, since you'd be sending them encrypted to the evil MITM.

  2. Trivial question - how about the math answer ? by OeLeWaPpErKe · · Score: 5, Informative

    Self-signed certificates are acceptable if you can spread the root public key *yourself* in a secure manner.

    Simple, no ?

    In any exchange between 2 known parties for example, it is *always* preferable to have self-signed certificates.

  3. Requirement for a signed certificate SSL flaw by Chrisq · · Score: 5, Insightful

    In my opinion SSL mixed two requirements, identification of site owner and secure communication.

    This meant that many sites applied for SSL certificates just for secure communication. Some certificate authorities virtually issued certificates on request.

    To get round they introduced extended validation certificates, which means we really, really validate this site.

    They should have allowed secure communication without certificates, and had properly authorised certificates to start with. Since they didn't we have the situation where people have to self-sign

  4. Tons of them by evilpenguin · · Score: 5, Informative

    I find a self-signed certificate is useful on many occasions. I use it for my own squirrelmail service. I have set them up for "extranet" applications for small business clients.

    This is just fine. I give them a hard copy of the key signature and tell them to verify it before the accept it.

    Someone above says the a CA adds nothing. I don't agree with that. They add identity verification *to the extent* that site visitors actually *read* the certificates and evaluate their level of trust in the CA.

    Quick: Tell me right now how many CAs are in your browser's trusted certs list. Now tell me where that list came from. Tell me why you trust it.

    In other words, the signed certificate system can provide excellent security, but most of us simply trust our browsers when they don't complain. That isn't security. You really should check certificates every time. View the details, check the signatures, verify the integrity of your trusted CA list. But who bothers?

    So while I don't agree that CA signed certs "add nothing," I do agree that hardly any users (including me who theoretically knows better) do their due diligence that would make that system truly work.

  5. Re:hipotesis by Anonymous Coward · · Score: 5, Insightful

    It's not really a No No; it's just that, in order to be sure that the certificate is okay, you have to be able to ensure that you have the same level of security as a normal certificate. What is that exactly??

    Well, a normal certificate is often verified simply by email. In order to get one you have to prove that you can respond to email for your domain. In other words you prove that you get IP packets that are destined to that domain (recieve the email you want). This is quite a bit harder than spoofing, but much easier than breaking an RSA key.

    So, how can we get the same level of security? Well, if we connect to a web server then that web server has proven that it can get the packets for that domain. Any certificate it distributes has almost the same level of security as a normal web certificate. There is one difference. When you use a normal certificate they are proving that they can now recive your packets and they could at another time much earlier when they contacted the cerfificate authority. Minor seeming, but important difference. You can gain the equivalent security by checking that the certificate is the same as it was some time before and checking that you have the same certificate as other people world wide.

    So a good way, would be for the web site you are posting about to post their certificate fingerprint on various public web sites and news groups known to be associated with them. That would be just as good as a normal web certificate. Or put another way, given the amount people pay for them and the security they advertise, normal certificates are indeed scams.

    Please note, this discussion doesn't cover extended verification which is also a partial scam, but not as bad as normal certificates. Please note also, that there are some of the older certificates which also require more than just email verification. That is totally irrelevant since your browser interface doesn't differentiate between them and the hackers will always go for the weakest security.

  6. Re:I wonder... by jamesh · · Score: 4, Insightful

    If someone does an inside job of compromising a bank's certificate, how much time would you think the certificate would be on the wild without being revoked? I bet enough time to do a lot of damage.

    Not nearly as much damage as would have been done if everyone used self-signed certs. Look up 'man in the middle' attack.

  7. Firefox 3 by Trogre · · Score: 5, Informative

    I've noticed that Firefox 3 is much less forgiving of self-signed certs than other browsers. There's a lot more hoops that one has to jump through to get a page to load.

    I've found it rather annoying, since all our internal web applications are served via SSL.

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    1. Re:Firefox 3 by Rovaani · · Score: 5, Informative

      Can't you just generate your own root certificate, use it to sign all the web-app certs and then distribute your own root certificate to all the employees?

      --
      Karma: Good! Napster: Baad!
  8. Re:Interesting by locofungus · · Score: 5, Insightful


    "When is it acceptable to encourage users to accept a self-signed SSL cert?"

    The answer is: Never.

    What is the point of being sure that no one can intercept your communication all the way from your browser to the server if you don't know who you are talking to in the first place?

    If someone knocked to your door and asked for your money would you give it to him because he has a bulletproof truck so the money will be safe all the way to whatever it is going to? Or would you trust the guy in the truck because he showed you a self-signed document saying: "I am authorised to do what I'm doing. Signed: me." Of course not!

    But you'd be happy if you'd arranged with your bank for a truck to come and pick up the money, and when the truck arrived and you asked to see his documentation he said "Here it is, guaranteed by Fred Bloggs over there." And you have no relationship with Fred Bloggs (although you guess your bank does because the driver says so!) and no comeback against Fred Bloggs if he screws up even if he does have a relationship with your bank.

    Quite frankly what I'd want is my bank having its own root cert that was self signed. I can confirm with my bank that I've got the right cert. And then when the driver turns up he can say "Here it is, guaranteed by your bank". And if the bank has screwed up and let some third party get hold of their root cert private key then I've got a relationship with the bank and I can sue them.

    And when I communicate with my bank I should be able to give them my root cert and then they can check I'm who I say I am (they can use other methods as well if they don't think that is secure enough)

    IIRC the hmrc website (UK TAX) allows you to use client side certificates to communicate with them but doesn't allow self signed ones. But why not? Is hmrc more confident that verisign can tell who I am than hmrc itself is? As a result I don't use a client side certificate.

    Tim.

    --
    God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
  9. Re:I wonder... by evilpenguin · · Score: 5, Insightful

    Certificate key signatures can prevent MITM attacks. Provided someone doesn't MITM the signature exchange...

    CAs are good, but, as I point out in another comment, most of us treat them magically. We don't do anything to verify our trusted cert lists. Can you tell me right now *with certainty* where your trusted CA list came from and that it hans't been modified by someone hostile or by hostile code?

    If you can't tell me that for sure, then you are *less* secure than someone using unsigned certs who has personally verified key signatures face-to-face.

  10. Re:Interesting by Znork · · Score: 5, Insightful

    The answer is: Never.

    Actually, the answer is: Always.

    if you don't know who you are talking to in the first place?

    For most purposes it's sufficient to know I'm talking to the same guy I was last time.

    Or would you trust the guy in the truck because he showed you a self-signed document

    Instead I'm supposed to trust the guy in the truck because he shows me a document signed by the guy in the truck next to him?

    The economic interest of a CA is diametrically opposed to their purpose. They maximize their profit margins by _not_ doing what they should be doing; hence I have no more reason for trusting Verisign (the guy in the truck next to him) than the guy himself.

    In fact, I'd be better off establishing my trust once with the guy in the truck, then accepting that trust in the future; trusting the CA merely means I've opened myself up to being blindly tricked coercion of the CA. If the certificate of the person I've established trust with changes I know somethings up. If I'm subjected to a MITM attack signed by a trusted CA I wont even notice.

    False sense of security

    Funny, I'd say that the false sense of security is exactly what you get from CA signed certificates.

  11. Trouble is, SSL does two things and users are dumb by fuzzyfuzzyfungus · · Score: 4, Insightful

    The problem with SSL, and the tension between ID verification and simple encryption, is not so much a technical issue as it is a "people, on average, cannot be trusted for anything more complex than tying shoelaces". With depressing regularity, studies show people with no clear idea of what the "lock icon" means, no understanding of the fact that a picture of a lock displayed on a website and a lock icon in a browser are two vastly different things, and no real idea of how certificates work, or what a Certificate Authority actually is.

    To compensate, browsers have ratcheted up the warnings given about self-signed certs to extreme levels, making them essentially useless for any site or service catering to the general public. This, then, creates a demand for cheap certs, which leads to shoddy verification, which defeats the purpose, which leads to E.V. certs, which are what certs are supposed to have been all along, only more expensive and with a snazzy green bar that nobody understands. Fan-Fricken-tastic.

    What we really need is a clear distinction between "identity" certs and "stability" certs. Identity certs would essentially cover cases where trust in a given entity is a function of official verification; e.g. when I walk into a bank, my level of trust is based on the legal status of the bank, is it an FDIC member, where is it incorporated, are its financial data properly disclosed, etc. In this case, an assigned SSL cert is just one more official aspect of the entity.

    The stability cert is different. It maps roughly onto the class of interactions that are based on reputation and patterns of behavior. You don't trust your best friend because you've checked his official ID, and you know that he is who he says he is, you trust him because you have been able to observe his behavior and interactions over a period of time. For this case, you don't need an SSL cert that is tied to a real world name, you need one that shows continuity over time. For example, knowing my real name would be of essentially no use in deciding whether or not to trust something I say in a post. Knowing that I am the same fuzzyfuzzyfungus who has posted in the past allows you to read my old posts and decide if I am reliable or not.

    The solution to this need is not CAs in the classic sense, that verify identity then hand out a cert; but public repositories wherein people can deposit self-signed certs at a certain point in time and have that event on file, among a number of repositories, for anybody who asks. Then, if you go to my website, you can look at my cert and, rather then getting something useless like "certificate for foo-barr.org was issued to Mr. foo barr by Verisign", you can see "foo-barr.org has operated under the same entity's certificate for x years." From this, you could then judge the entity based on their last x years of activity.

    The trouble with this notion is that it would require a subtler set of distinctions than the current setup, which people are, on the whole, already uselessly befuddled by. Oh well.

  12. True Story by BLKMGK · · Score: 5, Interesting

    While at DEFCON working the Wall of Sheep one year we discovered that someone had setup a WEB site on the network to bet on the outcomes of the hacking contest - they used a self signed SSL cert. Now some people, being paranoid on a VERY hostile network, turned down this certificate and promptly created\used the WEB site sans SSL - exposing their creds clear text. We promptly snarfed these and posted them on The Wall. 0wned!

    All they had to do was accept the cert and they would have been protected. But I guess since seeing that pop-up was out of the ordinary and being on a network that was so nasty they thought they would play it safe and say NO, how stupid....

    --
    Build it, Drive it, Improve it! Hybridz.org
  13. Re:hipotesis by morgan_greywolf · · Score: 5, Insightful

    Or put another way, given the amount people pay for them and the security they advertise, normal certificates are indeed scams.
    Commercially-signed certificates buy you one slight degree of security -- since the certificate is signed by a third party, it means, at least minimally, that someone else trusts the certificate. It's up to you to determine if you trust that someone.
    --
    My blog
  14. Yes, a self-signed certificate is just a secure by hal9000(jr) · · Score: 4, Informative

    The answer to you question is that you can use a self-signed certificate anywhere you can use one signed by a CA, public or not. However, to ensure that you are always talking to the web server and not through a MITM, you must distribute the self-signed certificate or the certificate thumbprint (and then verify it!) through some trusted means.

    Using a public CA like Verisign buys you is that since their public CA certificates are already distributed in browsers, any certificate issued by them should just work. Oh, and make sure the host name matches the common name.

  15. Re:I wonder... by OolimPhon · · Score: 5, Insightful

    False dichotomy. You present two options: ultra paranoid verify everything; and verify nothing. There is in fact a third option: trust MS to publish a list of well established and trusted vendors, and trust those vendors to vouch for a sites authority. That is a third option. And for most people it's the preferable option. If not, it would not be so. Yeah, well, you lost me at "trust MS".
  16. Re:hipotesis by slim · · Score: 5, Informative

    Infact, having a third party signing your certificate potentially reduces it's security, since they are now in possession of the certificate too, and have likely transmitted it to you via plain text email.

    HUH?

    There is nothing whatsoever that is confidential in an X.509 certificate.

    It is a chunk of bytes that says "Public key P corresponds to identity I, according to authority A", and it contains a signature created using A's private key, which ANYONE can check using A's public key.

    During the whole request and issue process, the secret bit -- I's private key, never leaves I's possession.

    The certificate could be printed in the New York Times, with no loss of security.

  17. Re:hipotesis by Digital_Quartz · · Score: 4, Informative

    The problem is that a self-signed certificate suffers from attacks at distribution time, whereas a CA signed certificate does not.

    First, you have to understand what a certificate is. A certificate consists of two parts: a public key, and a subject. The public key has a matching private key, but only the owner of the certificate has the private key (no one else; not even the CA). The subject tells us who the cert belongs to, and it is signed with the private key (so we can use the public key to make sure the subject hasn't been altered).

    If I connect to your server via SSL, and you provide me with a self signed certificate, then that certificate proves that you are you (because of the subject), and it provides a means for us to establish encrypted communication (because of the public key). All is well, right?

    Well, not quite; this only works if you've provided me with your cert ahead of time via some other secure channel (not the web). Otherwise, this setup is vulnerable to the classic "man in the middle" attack. Someone who wants to intercept our communication pretends to be you, and gives me his own "fake" self signed cert. I establish communications with the attacker; the attacker's subject is signed with the attacker's public key, and the attacker has the private key so he can read the messages I send him. The attacker then establishes communications with you, and passes my messages on to you, and the attacker can now listen in on everything we say.

    The attacker could also pretend to be you, again by providing me with a self signed cert that claims to be you.

    The problem in both of these attacks is simply that I have no way to verify that this self signed cert is really your self signed cert. If you had given it to me ahead of time, I could have added it to my list of trusted certs, and then when the attacker presented me with a different cert, I'd know someone was up to something. (Although, how would I know it was really you when you give it to me "ahead of time"? And if we have some out of band secure channel, why aren't we using that instead?)

    Now, why isn't this a problem with CA signed certs? The CA goes through varying levels of pains to verify that you really are you when you submit a signing request. So I get a cert from you, it's signed by the CA's cert's private key. I check the signature against the CA's cert, and I see that it is good. Since I trust the CA, I know that this certificate really is your certificate.

    The man in the middle attack and the "pretending to be you" attack won't work here; if the attacker provides me with a different certificate, then the certificate's signature will either not match the certificate, or else won't have a signature. The attacker could simply grab your certificate (it is provided to anyone who asks for it by your web server - the certificate itself is public knowledge), and then the cert would pass the signature checks, but since the attacker does not have your certificate's private key (only you have that), the attacker would be unable to decrypt any communication I send to him using your certificate.

    There's nothing wrong with self-signed certs in and of themselves. You will notice that the signing certificates belonging to the CAs are self signed. This only makes sense; the CA signed your cert with their cert, but who signed the CA cert? Even if someone did sign it (the uberCA), then who would sign that cert? It has to end somewhere, so it ends at the CA.

    The thing about the CAs' signing certificates is that they are "well known". Everyone has a copy of them; they come with your operating system. If, for some reason, you distrust your OS distributor, you can go find multiple copies of them scattered about the internet. If you could convince OEMs to include your self signed cert, it would be just as good. :)