TechTalkz.com Logo Ask the Experts!

Go Back   TechTalkz.com Technology & Computer Troubleshooting Forums > Tech Support Archives > Security

Re: OpenSSL New Trusted Root Certificate PHP/HTML Integration

Security

 
 
Thread Tools Display Modes
Unread 18-06-2008, 04:27 PM   #1
viza
Guest
 
Posts: n/a
Re: OpenSSL New Trusted Root Certificate PHP/HTML Integration

On Wed, 18 Jun 2008 14:55:09 +0000, Peter Anastos wrote:

> I have to disagree with both of you, quite strongly (no offense meant to
> you Jerry.) Your insult (viza) is ironic and unnecessary, but I am going
> to hold my tongue.


I didn't say that you were stupid, I said what you were trying to do was
stupid. If you take that as an insult then I apologise.

> There is no argument that a certificate issued by ANY operational
> certificate authority, that isn't on the website's host machine, as mine
> is (solely to check for revokations), signed for use by my URL, which
> mine is (so they know it is indeed my own certificate,) is any less
> secure than one provided by a "trusted" certificate authority. Why? The
> answer is why not!


You have still misunderstood the purpose of a certificate. As much as I
hate to say it, IE is right and you are wrong. Look it up:

http://en.wikipedia.org/wiki/Man_in_the_middle

> Well what if it's some hacker, you say? That makes no sense! If you
> trust the website, quite explicitly by providing your personal details
> to it, then you should trust a certificate provided by that website!


No, no, no.

Suppose I trust https://mybank.com/, because I saw a poster behind the
counter in the high street branch with that address on it.

I go home and try to visit that site. My browser looks up mybank.com in
DNS, but someone is interfering with DNS and I get the wrong IP address,
or perhaps I get the right IP but someone is rerouting my packets to some
other machine that is spoofing that address.

If I accept a root certificate from any machine that offers me one, I
have no way of knowing if I am in communication with my bank or some
other machine.

If I only accept a certificate that is signed by a trusted authority (eg:
one that didn't come over the network, but came on a CD with a difficult
to replicate hologram on it) then I can have some confidence that whoever
can interfere with the network at large, they cannot eavesdrop or
interfere with my connection to the bank.


> (that meets the normal standards - can be checked for revokation, and is
> for the URL it says it is for, which any browser will test for you if
> you actually install the certificate.) Instead IE7 just says "NO!" and
> you don't get to see whether it is a real certificate for the site and
> people go around the single warning, creating a less secure Internet all
> around.
>
> If you wouldn't trust a proper certificate issued as I have described by
> the host's own CA, then you should not be giving your personal details
> to the site. It certainly doesn't create any less of a secure SSL
> connection. Any SSL/PKI issues with the certificate is prominently
> displayed when you go to install the certificate - like it being issued
> for a different website or doesn't provide for enough security - instead
> of saying "only Microsoft's trusted CA list is acceptable" in the
> strongest way possible by IE7. It is a huge money making scheme.
>
> SSL as currently implemented is a huge ball of smoke used to make a
> crapload of money selling "trusted" SSL certificates that cost downright
> *offensive* amounts of money. It is a ludicrously overpriced system
> that, clearly, most people do not understand. It pisses the hell out of
> me, so excuse the rant. I hope a flame war doesn't erupt. And hell, if
> you can tell me why I am wrong, go ahead, I will accept legitimate logic
> in defeat. But I don't think there is any.


Sponsored Links
 
Unread 18-06-2008, 07:27 PM   #2
Neredbojias
Guest
 
Posts: n/a
Re: OpenSSL New Trusted Root Certificate PHP/HTML Integration

Sponsored Links
On 18 Jun 2008, viza <tom.viza@gmil.com> wrote:

>> There is no argument that a certificate issued by ANY operational
>> certificate authority, that isn't on the website's host machine, as
>> mine is (solely to check for revokations), signed for use by my URL,
>> which mine is (so they know it is indeed my own certificate,) is any
>> less secure than one provided by a "trusted" certificate authority.
>> Why? The answer is why not!

>
> You have still misunderstood the purpose of a certificate. As much as
> I hate to say it, IE is right and you are wrong.


Perhaps in the scope of security per se, but the whole "certificate
program" is just a bunch of crap, -a scam for unscrupulous entreprenuers to
make money, and that alone should obviate any trust related to its
existence.

--
Neredbojias
http://www.neredbojias.net/
Great sights and sounds

Sponsored Links
 
 

Thread Tools
Display Modes



< Home - Windows Help - MS Office Help - Hardware Support >


New To Site? Need Help?

All times are GMT. The time now is 08:07 PM.


vBulletin, Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright © 2005-2016, TechTalkz.com. All Rights Reserved - Privacy Policy
Valid XHTML 1.0 Transitional