Security Basics mailing list archives
Fwd: SSL Certificate - Internal CA vs "well known CA"
From: "kevin fielder" <kevin.fielder () gmail com>
Date: Tue, 7 Aug 2007 18:06:51 +0100
Hi, some follow up thoughts on this: If it is a public site, regardless of purpose I wouldn't think that this is a particularly good idea unless you have a secure mechanism for distributing the certificate, and a way of assuring the sites users of the safety of this. As stated below there are various ways to compromise the CA and key distribution process. Also a big advantage of using an external, trusted CA is that users browsers already have a list of trusted CAs so will trust the certificate your site is using without having to add the cert or your CA manually. I would also think that we don't want to start educating people that it is OK to add certificates or certificate authorities to those trusted by their browser as good practice - this would surely open up a nice avenue for social engineering attacks. For an internal intranet type site then setting up a local CA and adding it to the browsers trusted CAs (for example via group policy) may be perfectly workable. Obviously you still need to ensure the security of the local CA and ensure that it doesn't become compromised in any way. Cheers K -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Pranay Kanwar Sent: 06 August 2007 22:00 To: sfmailsbm () gmail com Cc: security-basics () securityfocus com Subject: Re: SSL Certificate - Internal CA vs "well known CA" The following points can accommodate this An open CA is vulnerable to key substitution and other forms of attacks. Lets suppose you create a certificate and distribute it by email or on the web how can one verify its correctness ? For example, if you website says *install this certificate* how can one validate that your's certificate is the intended one and no one during that time has compromised the connection to your server and presented an invalid certificate ?. The trusted CA's also use other forms of validation. You can use internal CA and keep things secure, but again the certificate distribution will be another cryptographic problem. regards warl0ck // MSG sfmailsbm () gmail com wrote:
Dear List, Just wanted to understand why using a "well known 'trusted' CA" (e.g.
verisign) is more secure than using an Internal CA to manage Certificates
e.g. if a company wants to publish a non-financial site (as opposed
to, say, Internet Banking) would not an Internal CA be as Secure as an external one?
What is the real (security) benefit of using (expensive) external
(e.g. Verisign) Certs?
Thanks you for your comments
Current thread:
- SSL Certificate - Internal CA vs "well known CA" sfmailsbm (Aug 06)
- Re: SSL Certificate - Internal CA vs "well known CA" Vinicius Vianna (Aug 06)
- Re: SSL Certificate - Internal CA vs "well known CA" Pranay Kanwar (Aug 06)
- SSL Certificate: Any Recommendations on Specific Vendors Iwekani Mukoma (Aug 06)
- Re: SSL Certificate: Any Recommendations on Specific Vendors MaddHatter (Aug 08)
- Message not available
- Fwd: SSL Certificate - Internal CA vs "well known CA" kevin fielder (Aug 08)
- RE: SSL Certificate - Internal CA vs "well known CA" Burns, Doug (Aug 08)
- SSL Certificate: Any Recommendations on Specific Vendors Iwekani Mukoma (Aug 06)
- <Possible follow-ups>
- Re: SSL Certificate - Internal CA vs "well known CA" Eric G (Aug 08)