mailing list archives
Fwd: SSL Certificate - Internal CA vs "well known CA"
From: "kevin fielder" <kevin.fielder () gmail com>
Date: Tue, 7 Aug 2007 18:06:51 +0100
Hi, some follow up thoughts on this:
If it is a public site, regardless of purpose I wouldn't think that this
is a particularly good idea unless you have a secure mechanism for
distributing the certificate, and a way of assuring the sites users of
the safety of this.
As stated below there are various ways to compromise the CA and key
distribution process. Also a big advantage of using an external,
trusted CA is that users browsers already have a list of trusted CAs so
will trust the certificate your site is using without having to add the
cert or your CA manually.
I would also think that we don't want to start educating people that it
is OK to add certificates or certificate authorities to those trusted by
their browser as good practice - this would surely open up a nice avenue
for social engineering attacks.
For an internal intranet type site then setting up a local CA and adding
it to the browsers trusted CAs (for example via group policy) may be
perfectly workable. Obviously you still need to ensure the security of
the local CA and ensure that it doesn't become compromised in any way.
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Pranay Kanwar
Sent: 06 August 2007 22:00
To: sfmailsbm () gmail com
Cc: security-basics () securityfocus com
Subject: Re: SSL Certificate - Internal CA vs "well known CA"
The following points can accommodate this
An open CA is vulnerable to key substitution and other forms of attacks.
Lets suppose you create a certificate and distribute it by email or on
the web how can one verify its correctness ? For example, if you website
*install this certificate* how can one validate that your's certificate
the intended one and no one during that time has compromised the
to your server and presented an invalid certificate ?.
The trusted CA's also use other forms of validation.
You can use internal CA and keep things secure, but again the
will be another cryptographic problem.
warl0ck // MSG
sfmailsbm () gmail com wrote:
Just wanted to understand why using a "well known 'trusted' CA" (e.g.
verisign) is more secure than using an Internal CA to manage
e.g. if a company wants to publish a non-financial site (as opposed
to, say, Internet Banking) would not an Internal CA be as Secure as an
What is the real (security) benefit of using (expensive) external
(e.g. Verisign) Certs?
Thanks you for your comments