Re: SSL Certificate - Internal CA vs "well known CA"

[Eric G <eric () nixwizard net>]

> Dear List,
> Just wanted to understand why using a "well known 'trusted' CA"  
> (e.g. verisign) > is more secure than using an Internal CA to manage  
> Certificates

The most basic reason is that browsers include a built-in list of root  
CAs that they trust. When you roll your own self signed certificate,  
your users will get a popup asking "Do you trust this certificate?"  
instead of just connecting and trusting the CA.

When you use a self signed cert, you open yourself up to the  
possibility of a man-in-the-middle attack, because theoretically  
someone could be hijacking the connection between you and "your bank."  
They could insert their own self-signed certificate, and the idea is  
the user would read that diaglog that pops up (or that seperate page  
that opens in IE 7) saying "This certificate isn't signed by the right  
place, danger will robinson!" and click "No I don't want to connect."
This doesn't ususally happen in practice btw... we as users are  
trained to click "yes" and "OK."

It should be noted the connection is still over SSL, and is still  
encrypted, just be wary of accepting a new certificate after you  
accept the self-signed cert that first time. If another, different  
certifcicate is presented that would be your indication that someone  
is in the middle.

Lemme know if you have any questions about this explanation