Hacker News | Two tiered SSL certificates

Hacker News

new | comments | leaders | jobs | submit

	Two tiered SSL certificates (sethsblog.com)
	4 points by uruzseven 567 days ago \| 6 comments

4 points by iigs 567 days ago | link

This theoretically works for passive observation attacks but is not helpful against the threat outlined in the article -- the Man In The Middle attack.

As a hostile AP owner, I could intercept all SSL communication, originate it myself from the AP to the remote site and present my own forged self signed certificates to the AP user. The user would see a self signed certificate, not suspect that the AP was doing anything bad, meanwhile the AP could be harvesting all of the data in the connection, or even change it if it was somehow beneficial to the bad guy.

SSL keys work because there's preexisting chain of trust between you and the site you're visiting (because you trust the root CAs, and the site gets their certs, possibly indirectly, from the same root CA provider). With a self signed cert there's no preexisting chain of trust and the communication can not be secured.

-----

2 points by there 567 days ago | link

http://cert.startcom.org/ offers free ssl certificates and they do some basic validation of domain ownership before issuing a certificate.

encourage more vendors to import their CA certificate into their browsers and you won't have to deal with the insecurity of self-signed certificates.

-----

2 points by cperciva 567 days ago | link

Sometimes it's best to leave things to the experts. Security is one of those times.

-----

1 point by wmf 567 days ago | link

Is there consensus among experts about self-signed certificates? What about the new Firefox 3 UI?

-----

1 point by uruzseven 567 days ago | link

@iigs

Very true. I don't think this is the silver bullet that will end all attacks but it's one additional step to something better.

With Firefox 3, a huge error is displayed if I use a self-signed certificate which makes the user think this is not secure and they may leave.

-----

0 points by bprater 567 days ago | link

I like this concept.

Top-tier firms do little in truly protecting the consumer. Fax a letterhead to them for proof that my business exists? Anyone can do that in 60 seconds with Microsoft Word.

The problem is that browser would need to be updated with this change. And how do you explain it to consumers?

-----