RE: SSL Certificate - Internal CA vs "well known CA"

["Burns, Doug" <burns_doug () bah com>]

Great point in the 3rd paragraph...

             Doug 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of kevin fielder
Sent: Tuesday, August 07, 2007 1:07 PM
To: security-basics () securityfocus com
Subject: Fwd: SSL Certificate - Internal CA vs "well known CA"

Hi, some follow up thoughts on this:

If it is a public site, regardless of purpose I wouldn't think that this
is a particularly good idea unless you have a secure mechanism for
distributing the certificate, and a way of assuring the sites users of
the safety of this.

As stated below there are various ways to compromise the CA and key
distribution process.  Also a big advantage of using an external,
trusted CA is that users browsers already have a list of trusted CAs so
will trust the certificate your site is using without having to add the
cert or your CA manually.

I would also think that we don't want to start educating people that it
is OK to add certificates or certificate authorities to those trusted by
their browser as good practice - this would surely open up a nice avenue
for social engineering attacks.

For an internal intranet type site then setting up a local CA and adding
it to the browsers trusted CAs (for example via group policy) may be
perfectly workable.  Obviously you still need to ensure the security of
the local CA and ensure that it doesn't become compromised in any way.

Cheers

K


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Pranay Kanwar
Sent: 06 August 2007 22:00
To: sfmailsbm () gmail com
Cc: security-basics () securityfocus com
Subject: Re: SSL Certificate - Internal CA vs "well known CA"

The following points can accommodate this

An open CA is vulnerable to key substitution and other forms of attacks.
Lets suppose you create a certificate and distribute it by email or on
the web how can one verify its correctness ? For example, if you website
says *install this certificate* how can one validate that your's
certificate is the intended one and no one during that time has
compromised the connection to your server and presented an invalid
certificate ?.

The trusted CA's also use other forms of validation.

You can use internal CA and keep things secure, but again the
certificate distribution will be another cryptographic problem.

regards

warl0ck // MSG

sfmailsbm () gmail com wrote:
> Dear List,
> Just wanted to understand why using a "well known 'trusted' CA" (e.g.
verisign) is more secure than using an Internal CA to manage
Certificates
> e.g. if a company wants to publish a non-financial site (as opposed
to, say, Internet Banking) would not an Internal CA be as Secure as an
external one?
> What is the real (security) benefit of using (expensive) external
(e.g. Verisign) Certs?
> Thanks you for your comments