mailing list archives
Re: SSL Certificate - Internal CA vs "well known CA"
From: Eric G <eric () nixwizard net>
Date: Tue, 07 Aug 2007 15:11:00 +0400
Just wanted to understand why using a "well known 'trusted' CA"
(e.g. verisign) > is more secure than using an Internal CA to manage
The most basic reason is that browsers include a built-in list of root
CAs that they trust. When you roll your own self signed certificate,
your users will get a popup asking "Do you trust this certificate?"
instead of just connecting and trusting the CA.
When you use a self signed cert, you open yourself up to the
possibility of a man-in-the-middle attack, because theoretically
someone could be hijacking the connection between you and "your bank."
They could insert their own self-signed certificate, and the idea is
the user would read that diaglog that pops up (or that seperate page
that opens in IE 7) saying "This certificate isn't signed by the right
place, danger will robinson!" and click "No I don't want to connect."
This doesn't ususally happen in practice btw... we as users are
trained to click "yes" and "OK."
It should be noted the connection is still over SSL, and is still
encrypted, just be wary of accepting a new certificate after you
accept the self-signed cert that first time. If another, different
certifcicate is presented that would be your indication that someone
is in the middle.
Lemme know if you have any questions about this explanation
- <Possible follow-ups>
- Re: SSL Certificate - Internal CA vs "well known CA" Eric G (Aug 08)