

Two tiered SSL certificates - uruzseven
http://www.sethsblog.com/two-tiered-ssl-certificates

======
iigs
This theoretically works for passive observation attacks but is not helpful
against the threat outlined in the article -- the Man In The Middle attack.

As a hostile AP owner, I could intercept all SSL communication, originate it
myself from the AP to the remote site and present my own forged self signed
certificates to the AP user. The user would see a self signed certificate, not
suspect that the AP was doing anything bad, meanwhile the AP could be
harvesting all of the data in the connection, or even change it if it was
somehow beneficial to the bad guy.

SSL keys work because there's preexisting chain of trust between you and the
site you're visiting (because you trust the root CAs, and the site gets their
certs, possibly indirectly, from the same root CA provider). With a self
signed cert there's no preexisting chain of trust and the communication can
not be secured.

------
there
<http://cert.startcom.org/> offers free ssl certificates and they do some
basic validation of domain ownership before issuing a certificate.

encourage more vendors to import their CA certificate into their browsers and
you won't have to deal with the insecurity of self-signed certificates.

------
uruzseven
@iigs

Very true. I don't think this is the silver bullet that will end all attacks
but it's one additional step to something better.

With Firefox 3, a huge error is displayed if I use a self-signed certificate
which makes the user think this is not secure and they may leave.

------
cperciva
Sometimes it's best to leave things to the experts. Security is one of those
times.

~~~
wmf
Is there consensus among experts about self-signed certificates? What about
the new Firefox 3 UI?

------
bprater
I like this concept.

Top-tier firms do little in truly protecting the consumer. Fax a letterhead to
them for proof that my business exists? Anyone can do that in 60 seconds with
Microsoft Word.

The problem is that browser would need to be updated with this change. And how
do you explain it to consumers?

