RE: WAS: Bittorrent - utorrent NOW: Certificate Talk

["Erick Jensen" <ejensen () vibrant com>]

Another point is the big guys provide insurance.  If your encryption is
cracked they cover damages up to whatever amount.  That's the only plus
(I see) to using one of the larger certificate companies.



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Tremaine Lea
Sent: Sunday, March 18, 2007 6:41 PM
To: Randal T.Rioux
Cc: focus-ids () securityfocus com
Subject: Re: WAS: Bittorrent - utorrent NOW: Certificate Talk


On 18-Mar-07, at 12:45 AM, Randal T. Rioux wrote:

> Tremaine Lea wrote:
> > Having said that, the BCSG *will* refuse self-signed certs and  
> > expired
> > certs etc.
>
> That is the stupidest thing I've ever heard. Honestly, a paid-for cert
> is barely more trustworthy than a self-signed cert. The entire cert
> system is broken by design, and benefits nobody but the money  
> collectors
> at the major companies (VeriSign, Entrust, etc).
>
> Can somebody convince me that my understanding is mistaken?
>
> Thanks,
> Randy



It's as stupid as IE7's handling of it really.  Without a better  
understanding of the certification process by the end user, the  
benefits are certainly not as clear.  Certainly it prevents MITM  
issues during the https transaction, but that may be about it with  
some exceptions.   With IE7 it can certainly produce problems on an  
internal network, at least initially.  IE7 will actually refuse to  
connect you with the site.  Bluecoat at least provides you with the  
opportunity to exclude a network from checks, like your own.


On the pros side of the fence, with a paid certificate such as those  
through Verisign, the benefit over a self signed cert is a lot  
clearer.  Unfortunately there are companies that will hand you a cert  
with very little in the way of verification which destroys the  
usefulness of it.  Self signed certs are useful in instances where  
you trust the issuer to begin with, or in corporate networks.  For a  
small company trying to establish an ecommerce presence however, they  
have not yet earned the trust or established themselves to the point  
where jane and joe intertubes can (or should?) trust them.

Tremaine

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw 
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------