[thelist] SSL Certificate Choices

Ken Schaefer Ken at adOpenStatic.com
Sun Jan 27 19:20:51 CST 2008


-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Mark Groen
Sent: Sunday, 27 January 2008 12:43 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] SSL Certificate Choices

On January 26, 2008 2:09:04 pm Robert Gormley wrote:
> > That seems odd. Are you saying that if the entire chain is on the
> > server, up to and including a root certificate, the browser will not
> > prompt for the use of an untrusted root cert? That seems both odd, and
> > an utterly huge security hole...
>
> No security hole there, it is still an SSL connection regardless if the cert
> is a free self-signed one or not. The only difference is the the signing
> authority is yourself instead of Verisign (for example).

As described by Robert, it is a security hole (as he rightly points out). Certificates are not just for establishing a secure tunnel, but also for one-way or mutual authentication.

If I install a cert that says I am "www.amazon.com" and have my own CA issue that, why should a browser automatically trust that I really am www.amazon.com just because I put my root CA cert on my server.

Of course the general user should *not* trust that, and their browser would rightly warm them that the cert is issued by an untrusted party.

Cheers
Ken



More information about the thelist mailing list