Home page logo

basics logo Security Basics mailing list archives

Re: SSL Certificate - Internal CA vs "well known CA"
From: Eric G <eric () nixwizard net>
Date: Tue, 07 Aug 2007 15:11:00 +0400

Dear List,
Just wanted to understand why using a "well known 'trusted' CA" (e.g. verisign) > is more secure than using an Internal CA to manage Certificates

The most basic reason is that browsers include a built-in list of root CAs that they trust. When you roll your own self signed certificate, your users will get a popup asking "Do you trust this certificate?" instead of just connecting and trusting the CA.

When you use a self signed cert, you open yourself up to the possibility of a man-in-the-middle attack, because theoretically someone could be hijacking the connection between you and "your bank." They could insert their own self-signed certificate, and the idea is the user would read that diaglog that pops up (or that seperate page that opens in IE 7) saying "This certificate isn't signed by the right place, danger will robinson!" and click "No I don't want to connect." This doesn't ususally happen in practice btw... we as users are trained to click "yes" and "OK."

It should be noted the connection is still over SSL, and is still encrypted, just be wary of accepting a new certificate after you accept the self-signed cert that first time. If another, different certifcicate is presented that would be your indication that someone is in the middle.

Lemme know if you have any questions about this explanation

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]