FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 01-16-2010, 03:56 PM
Vadkan Jozsef
 
Default outdated ssl cert

what does a self-signed outdated ssl cert worth? [https]

could it be tricked [https] in a way, that the end user will not
recognize? [e.g. he already accepted the cert one time, and the browser
would warn her, if it been ""attacked""?]

..I mean does an outdated self-signed certificate give the same security
as a normal cert?

thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-16-2010, 03:59 PM
Vadkan Jozsef
 
Default outdated ssl cert

what does a self-signed outdated ssl cert worth? [https]

could it be tricked [https] in a way, that the end user will not
recognize? [e.g. he already accepted the cert one time, and the browser
would warn her, if it been ""attacked""?]

..I mean does an outdated self-signed certificate give the same security
as a normal cert?

thanks

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 01-16-2010, 04:21 PM
Craig White
 
Default outdated ssl cert

On Sat, 2010-01-16 at 17:59 +0100, Vadkan Jozsef wrote:
> what does a self-signed outdated ssl cert worth? [https]
>
> could it be tricked [https] in a way, that the end user will not
> recognize? [e.g. he already accepted the cert one time, and the browser
> would warn her, if it been ""attacked""?]
>
> ..I mean does an outdated self-signed certificate give the same security
> as a normal cert?
----
whether 'expired' or 'current', a self-signed certificate offered by a
web server only has worth if you trust the signer of the certificate and
you have reason to believe that the certificate being offered is indeed
the one signed by whoever you believe worthy of the trust. If the
certificate is expired, it is certain to generate a warning every time
you encounter it.

I use self-signed certs all of the time - I trust myself. I have to
convince other users to trust the certificates that I sign.

The browser only sees the certificate and knows whether it has been
signed by an already trusted certificate authority. Some certificate
authorities are out of the box trusted by your web browser. Many are
not.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 01-16-2010, 04:48 PM
Eduardo M KALINOWSKI
 
Default outdated ssl cert

On 01/16/2010 02:56 PM, Vadkan Jozsef wrote:

what does a self-signed outdated ssl cert worth? [https]

could it be tricked [https] in a way, that the end user will not
recognize? [e.g. he already accepted the cert one time, and the browser
would warn her, if it been ""attacked""?]

..I mean does an outdated self-signed certificate give the same security
as a normal cert?




If by "outdated" you mean "expired", that is, it's not valid anymore,
then any browser (or other software that uses certificates) should warn
the user, regardless of whether it's self-signed or not.



--
An empty cab drove up and Sarah Bernhardt got out. -Arthur Baer,
American comic and columnist

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-16-2010, 04:58 PM
Steven Stern
 
Default outdated ssl cert

On 01/16/2010 11:21 AM, Craig White wrote:
> On Sat, 2010-01-16 at 17:59 +0100, Vadkan Jozsef wrote:
>> what does a self-signed outdated ssl cert worth? [https]
>>
>> could it be tricked [https] in a way, that the end user will not
>> recognize? [e.g. he already accepted the cert one time, and the browser
>> would warn her, if it been ""attacked""?]
>>
>> ..I mean does an outdated self-signed certificate give the same security
>> as a normal cert?
> ----
> whether 'expired' or 'current', a self-signed certificate offered by a
> web server only has worth if you trust the signer of the certificate and
> you have reason to believe that the certificate being offered is indeed
> the one signed by whoever you believe worthy of the trust. If the
> certificate is expired, it is certain to generate a warning every time
> you encounter it.
>
> I use self-signed certs all of the time - I trust myself. I have to
> convince other users to trust the certificates that I sign.
>
> The browser only sees the certificate and knows whether it has been
> signed by an already trusted certificate authority. Some certificate
> authorities are out of the box trusted by your web browser. Many are
> not.
>
> Craig
>
>

Because I have a hard time remembering how to generate self-signed
certs, I set the expiration date for 5 years the last time I had to
create them.

--

Steve
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 01-16-2010, 05:06 PM
Bruno Wolff III
 
Default outdated ssl cert

On Sat, Jan 16, 2010 at 17:59:32 +0100,
Vadkan Jozsef <jozsi.avadkan@gmail.com> wrote:
> what does a self-signed outdated ssl cert worth? [https]
>
> could it be tricked [https] in a way, that the end user will not
> recognize? [e.g. he already accepted the cert one time, and the browser
> would warn her, if it been ""attacked""?]
>
> ..I mean does an outdated self-signed certificate give the same security
> as a normal cert?

Using https even with certs that don't provide identity assurance, still
makes eavesdropping harder (relative to using unencrypted http). Instead of a
passive attack, you need to do an active man in the middle attack.

Also note that every top level certificate is self signed. What makes some
special to most people is that they are delivered with browsers and
don't generate warnings by default. This may or may not be a useful thing
depending on what you expect them to be doing for you.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 01-16-2010, 09:36 PM
Tim
 
Default outdated ssl cert

On Sat, 2010-01-16 at 11:58 -0600, Steven Stern wrote:
> Because I have a hard time remembering how to generate self-signed
> certs, I set the expiration date for 5 years the last time I had to
> create them.

I'm not sure that I see a good reason for setting an expiry date, at
all.

It'd probably be a lot more useful if the certificate issuers
revalidated certificates periodically, leaving the same one alone if
it's fine, destroying it if impossible to revalidate.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 01-18-2010, 03:50 PM
"Boyd Stephen Smith Jr."
 
Default outdated ssl cert

On Saturday 16 January 2010 10:56:29 Vadkan Jozsef wrote:
> ..I mean does an outdated self-signed certificate give the same security
> as a normal cert?

It depends on what you mean by security. You do get the same level of end-to-
end encryption -- so attackers attempting to read the connection after it has
been established will be stymied.

However, you do not get the same level of authenticity verification. So, you
don't know the validity of the end point you are negotiating with. This
allows an attacker to attack the connection setup -- a man-in-the-middle
attack. A successful man-in-the-middle attack results in total compromise of
the data transferred; the attacker can both record and manipulate the data
exchanged in either direction or both.

Depending on the user agent (browser), once the user has accepted a self-
signed certificate for a certain domain the user might not be prompted about
the same certificate (based on secure hash) for the same domain. In this
case, if the first connection was NOT intercepted, future connections would
NOT be subject to man-in-the-middle attack. Also, if the first connection WAS
intercepted and future connections were NOT, the user would be prompted
because the certificate presented would have changed (based on secure hash).

Finally, if users or user agents can be transmitted the expected hash of a
self-signed certificate presented by a certain domain using a secure path
prior to establishing the connection, the self-signed certificate is as good
as one with a cert chain ending in a CA. The CA infrastructure is established
as a means of confirming the hash <-> domain mapping without every site having
to communicate their hash to every potential user.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 01-18-2010, 04:54 PM
James Szinger
 
Default outdated ssl cert

On Sat, 16 Jan 2010 11:58:03 -0600
Steven Stern <subscribed-lists@sterndata.com> wrote:

> Because I have a hard time remembering how to generate self-signed
> certs, I set the expiration date for 5 years the last time I had to
> create them.
>

There is a Fedora package for gnomint, a GUI which makes it easy to set
yourself up as a CA (certificate authority) and create and manage your
own certificates.

Jim
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 

Thread Tools




All times are GMT. The time now is 07:01 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org