Main » 2011 » Март » 16 » On the selfsigned certificates
13:22
On the selfsigned certificates
In connection with my participation in the project fin-ack.com constantly confronted with such remarks: I do not trust vashomu self-signed certificate, why do not you buy a "normal" certificate?
To me, this is a case of misunderstanding and prejudice, which so much for security on the Internet. (Like the famous "hackers, crackers, spam, cookies:). I want to parse it from two perspectives: as a man for some time worked in the field of information security at the bank and have dealt with most aspects of information security, and as a person involved in the design and development of Internet services.

But first answer the question why we do not have a "normal" certificate? (In fact, recently there:) The biggest reason is that in our list of priorities that the item was on the N-dimensional place, and only now, all N-1 of the preceding paragraphs have been met. When working on a new project, always have something to give up, because resources, particularly time, are limited ...

And why is he standing right on N-dimensional place?
Firstly, why do need a certificate SSL? In order to encrypt the HTTP-connection between the browser and the sites that will be sent a password and any other confidential data. What will change if the certificate is not signed by a trusted certification authority? Nothing! The connection will still be encrypted the same way. The only possible problem: the middle-man attack, which the Internet is usually phishing'om or pharming'om.
  • When users are redirected to the phishing site with a similar URL. In this case, the browser always displays a warning about a certificate (the same warning also appears when you first call on a real site with a self-signed certificate).

    In general, in this situation, simply look to what the domain is certified, and if this is the domain where you would get, add the certificate to the trusted. After this, any message about an untrusted certificate for this site can be viewed as an alarming bell.
  • Difference of pharming is that in this case the user will get how-to on the site, which would (judging from the URL). However, he as well as with phishing, the message about an untrusted certificate.

But many people are investing in an SSL certificate make more sense:
... If the certificate is issued by a Verisign-ohm (for example), then this sort of "guarantee" that in this website is a real organization / individual and so at least "there is nobody to ask in case anything happens." Ie do this as a guarantee of "serious" intentions of the owners.
We are aware that such an opinion has the right to life. But it's not so simple. Nothing prevents to buy a certificate from Verisign or another vendor at the office or lime bogus personal details. They can not verify that the client legal grounds to impersonate conditional LLC "Barnyard" from Perm, Rossyskaya Federation. The only thing that is checked when issuing the certificate - this is what belongs to you whether the domain for which you request it.
So as for me, the purchase of Certificates of Verisign'a - it is only a demonstration that the company is willing to throw $ 500 and a few man-hours, and even more on utryasenie all organizational issues, rather than to spend time and money to develop new opportunities or real improvement in the security system. Generally, Verisign - is for banks. There are other vendors, which is easier and cheaper (for example - below).

But most importantly, more. Any computer system is vulnerable to the extent of its vulnerability least secure link. A good approach to security - it is always a set of measures, which must take into account all the risks and give everyone enough attention. I'll try to list the major risks of Safety when user data for the standard of the Internet project, dealing with personal information (Web mail, personal accountant, etc.) in order of importance:
  1. Not quite elaborate system of access to confidential data, which has a hole
  2. Problems in the software that is used by system (OS, Web server, the implementation of encryption protocols) that allow to carry out hacking
  3. attacks like man-middle, social engineering

Phishing / pharming (man in the middle ), in my opinion, one of the least important risks, since it is much harder to implement, it quickly overlap and, therefore, such an attack is only useful for systems with very large numbers of users, from which we can quickly extract a very valuable data (the classic example: internet banking). Compared with this a lot easier to run a vulnerability scanner and find that the system uses an older version of OpenSSH for Windows, or do not have some sort of patch (to us every day, knocking on thousands of testers:). Or find some sort of XSS or SQL-injection vulnerability. That's not to mention the more complex problem of creating secure Internet systems, such as, for example, the correct use of sessions (and cookies) to authenticate. It is this need to pay attention to in the first place!

Another aspect of security associated with the certificates. Whether it is self-signed or issued Verisign'om, still has an associated secret key, which must be stored somewhere. Moreover, he constantly used the web server when you open a HTTPS-connections, ie it can not be applied once at vklyuchnii power to keep the stick and hide in the safe. What happens if someone gets hold of a key? (Programmer, who had access to the server, an attacker or someone else). Ideally, this key is encrypted, but if you want, and availability of resources, it is possible to decipher (and right now it's cheaper than to organize a phishing attack). But we do not take into account that some of the web server or a reverse-proxy can not work with encrypted keys. And because the password can be zahardkozhen somewhere in the text of a program or script that it runs ... so that at some site flaunts birochka that its SSL certificate signed by Verisign, gives no guarantee that one day appears pharming analog, using the same certificate with a stolen private key.

At this point I do not even think of such aspects associated with the system of PKI, as it features support for various specific platforms, such as j2me ...

Summary: there are things that are generally correct, but not always worth the effort. The concentration of startups must be in another, and little things like the "right" certificate must go the second echelon. First, as the Americans say, to «get the product right». Everything has its time.

P.S. Actually, I understand that the pytatsya change public opinion, it's easier for him adjusted to, so we already have the "right" certificate (the time has come). By the way, which is 10 times cheaper than most (thanks to GoDaddy!). The purpose of this paper is primarily to once again touch on the inexhaustible topic of information security on the Internet and try to correct accents in one of its aspects.
Views: 565 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: