In other words, what would be the security risk of not signing public key certificates by certificate authorites (from a user perspective)? I mean, the data is still encrypted... What could a man in the middle do with a non signed certificate?
-
The purpose of SSL when used with HTTP is not just to encrypt the traffic, but also to authenticate who the owner of the website is, and that someone's been willing to invest time and money into proving the authenticity and ownership of their domain.
It's like purchasing a relationship, not just encryption, and the relationship instils, or assumes, a certain level of trust.
That said, I asked a similar question a few months ago, and the basic answer that came back was "SSL is a bit of a scam"
Olivier Lalonde : I thought SSL certificates were issued for IPs, not domains. Why did you need different certificates for domains hosted on the same IP? Furthermore, the Wikipedia page on HTTPS mentions it is possible to get certificates for free... The CA business really sounds like a scam to me.Zypher : Certs are issued for domains. There is nothing preventing you from generating a self signed certificate, it'll just pop up a scary warning (that people won't read) because the browser doesn't trust the issuing CA. The "multiple SSL on One IP" issue has been discussed many times here. Here's a thread with a good answer http://serverfault.com/questions/73162/can-i-run-two-different-secure-sites-using-the-port-443-on-the-same-serverFarseeker : Thanks Zypher, you took the words out of my mouth :) And certificates for for domains, not IP's. We have three IP addresses for three servers that serve our heaviest website, and they all have the same certificate loaded.From Farseeker -
The SSL business is indeed a bit of a scam. More than a bit, in fact, when you're paying about 20p per byte for some cryptographically-interesting data. What you're paying for is for whichever CA you use to sign your certificate with one of their private keys after proving to themselves that you are indeed entitled to use the domain/host name that the certificate is for. As Farseeker says, it's a trust relationship - the CA trusts you (after they've vetted you), the world's web browsers trust the CA (usually), and therefore the worlds web browsers will trust your cert. And don't get me started about Extended Validation...
From RainyRat -
Imagine a situation where you are to deliver $1,000,000 to a person named John Smith you have never met or communicated with. You are told you can meet him in a crowded public location. When you go to meet him you will need some way to be sure that he is actually the person you are looking for, and not some other random person claiming to be John Smith. You might ask for some government ID, a business card. You might ask a person you trust who has actually met the John Smith for help identifying him.
A self-signed certificate uniquely identifies a system, but it doesn't do anything to prove that the system is who it claims to be. I can easily self-sign a certificate and claim to be serverfault.com, google.com, or yourbank.com. Certificate Authorities basically act as a third party that is trusted by the client to verify a certificate is actually valid for the name the site claims to own.
Olivier Lalonde : I understand your point. However, I believe certificates should be considered as an additional layer on top of SSL (as it should be). As it is right now, a lot of websites can't use simple SSL encryption because web browsers issue scary warnings. Sometimes, simple encryption is good enough to prevent passive packet sniffingFrom Zoredache
0 comments:
Post a Comment