Re: OpenSSL New Trusted Root Certificate PHP/HTML Integration

18-06-2008, 10:57 PM

On Wed, 18 Jun 2008 14:55:09 +0000, Peter Anastos wrote:

> I have to disagree with both of you, quite strongly (no offense meant to
> you Jerry.) Your insult (viza) is ironic and unnecessary, but I am going
> to hold my tongue.

I didn't say that you were stupid, I said what you were trying to do was
stupid. If you take that as an insult then I apologise.

> There is no argument that a certificate issued by ANY operational
> certificate authority, that isn't on the website's host machine, as mine
> is (solely to check for revokations), signed for use by my URL, which
> mine is (so they know it is indeed my own certificate,) is any less
> secure than one provided by a "trusted" certificate authority. Why? The
> answer is why not!

You have still misunderstood the purpose of a certificate. As much as I
hate to say it, IE is right and you are wrong. Look it up:

http://en.wikipedia.org/wiki/Man_in_the_middle

> Well what if it's some hacker, you say? That makes no sense! If you
> trust the website, quite explicitly by providing your personal details
> to it, then you should trust a certificate provided by that website!

No, no, no.

Suppose I trust https://mybank.com/, because I saw a poster behind the
counter in the high street branch with that address on it.

I go home and try to visit that site. My browser looks up mybank.com in
DNS, but someone is interfering with DNS and I get the wrong IP address,
or perhaps I get the right IP but someone is rerouting my packets to some
other machine that is spoofing that address.

If I accept a root certificate from any machine that offers me one, I
have no way of knowing if I am in communication with my bank or some
other machine.

If I only accept a certificate that is signed by a trusted authority (eg:
one that didn't come over the network, but came on a CD with a difficult
to replicate hologram on it) then I can have some confidence that whoever
can interfere with the network at large, they cannot eavesdrop or
interfere with my connection to the bank.

> (that meets the normal standards - can be checked for revokation, and is
> for the URL it says it is for, which any browser will test for you if
> you actually install the certificate.) Instead IE7 just says "NO!" and
> you don't get to see whether it is a real certificate for the site and
> people go around the single warning, creating a less secure Internet all
> around.
>
> If you wouldn't trust a proper certificate issued as I have described by
> the host's own CA, then you should not be giving your personal details
> to the site. It certainly doesn't create any less of a secure SSL
> connection. Any SSL/PKI issues with the certificate is prominently
> displayed when you go to install the certificate - like it being issued
> for a different website or doesn't provide for enough security - instead
> of saying "only Microsoft's trusted CA list is acceptable" in the
> strongest way possible by IE7. It is a huge money making scheme.
>
> SSL as currently implemented is a huge ball of smoke used to make a
> crapload of money selling "trusted" SSL certificates that cost downright
> *offensive* amounts of money. It is a ludicrously overpriced system
> that, clearly, most people do not understand. It pisses the hell out of
> me, so excuse the rant. I hope a flame war doesn't erupt. And hell, if
> you can tell me why I am wrong, go ahead, I will accept legitimate logic
> in defeat. But I don't think there is any.

19-06-2008, 01:57 AM

On 18 Jun 2008, viza <tom.viza@gmil.com> wrote:

>> There is no argument that a certificate issued by ANY operational
>> certificate authority, that isn't on the website's host machine, as
>> mine is (solely to check for revokations), signed for use by my URL,
>> which mine is (so they know it is indeed my own certificate,) is any
>> less secure than one provided by a "trusted" certificate authority.
>> Why? The answer is why not!
>
> You have still misunderstood the purpose of a certificate. As much as
> I hate to say it, IE is right and you are wrong.

Perhaps in the scope of security per se, but the whole "certificate
program" is just a bunch of crap, -a scam for unscrupulous entreprenuers to
make money, and that alone should obviate any trust related to its
existence.

--
Neredbojias
http://www.neredbojias.net/
Great sights and sounds

18-06-2008, 10:57 PM	#1
viza Guest Posts: n/a	Re: OpenSSL New Trusted Root Certificate PHP/HTML Integration On Wed, 18 Jun 2008 14:55:09 +0000, Peter Anastos wrote: > I have to disagree with both of you, quite strongly (no offense meant to > you Jerry.) Your insult (viza) is ironic and unnecessary, but I am going > to hold my tongue. I didn't say that you were stupid, I said what you were trying to do was stupid. If you take that as an insult then I apologise. > There is no argument that a certificate issued by ANY operational > certificate authority, that isn't on the website's host machine, as mine > is (solely to check for revokations), signed for use by my URL, which > mine is (so they know it is indeed my own certificate,) is any less > secure than one provided by a "trusted" certificate authority. Why? The > answer is why not! You have still misunderstood the purpose of a certificate. As much as I hate to say it, IE is right and you are wrong. Look it up: http://en.wikipedia.org/wiki/Man_in_the_middle > Well what if it's some hacker, you say? That makes no sense! If you > trust the website, quite explicitly by providing your personal details > to it, then you should trust a certificate provided by that website! No, no, no. Suppose I trust https://mybank.com/, because I saw a poster behind the counter in the high street branch with that address on it. I go home and try to visit that site. My browser looks up mybank.com in DNS, but someone is interfering with DNS and I get the wrong IP address, or perhaps I get the right IP but someone is rerouting my packets to some other machine that is spoofing that address. If I accept a root certificate from any machine that offers me one, I have no way of knowing if I am in communication with my bank or some other machine. If I only accept a certificate that is signed by a trusted authority (eg: one that didn't come over the network, but came on a CD with a difficult to replicate hologram on it) then I can have some confidence that whoever can interfere with the network at large, they cannot eavesdrop or interfere with my connection to the bank. > (that meets the normal standards - can be checked for revokation, and is > for the URL it says it is for, which any browser will test for you if > you actually install the certificate.) Instead IE7 just says "NO!" and > you don't get to see whether it is a real certificate for the site and > people go around the single warning, creating a less secure Internet all > around. > > If you wouldn't trust a proper certificate issued as I have described by > the host's own CA, then you should not be giving your personal details > to the site. It certainly doesn't create any less of a secure SSL > connection. Any SSL/PKI issues with the certificate is prominently > displayed when you go to install the certificate - like it being issued > for a different website or doesn't provide for enough security - instead > of saying "only Microsoft's trusted CA list is acceptable" in the > strongest way possible by IE7. It is a huge money making scheme. > > SSL as currently implemented is a huge ball of smoke used to make a > crapload of money selling "trusted" SSL certificates that cost downright > offensive amounts of money. It is a ludicrously overpriced system > that, clearly, most people do not understand. It pisses the hell out of > me, so excuse the rant. I hope a flame war doesn't erupt. And hell, if > you can tell me why I am wrong, go ahead, I will accept legitimate logic > in defeat. But I don't think there is any.

19-06-2008, 01:57 AM	#2
Neredbojias Guest Posts: n/a	Re: OpenSSL New Trusted Root Certificate PHP/HTML Integration On 18 Jun 2008, viza <tom.viza@gmil.com> wrote: >> There is no argument that a certificate issued by ANY operational >> certificate authority, that isn't on the website's host machine, as >> mine is (solely to check for revokations), signed for use by my URL, >> which mine is (so they know it is indeed my own certificate,) is any >> less secure than one provided by a "trusted" certificate authority. >> Why? The answer is why not! > > You have still misunderstood the purpose of a certificate. As much as > I hate to say it, IE is right and you are wrong. Perhaps in the scope of security per se, but the whole "certificate program" is just a bunch of crap, -a scam for unscrupulous entreprenuers to make money, and that alone should obviate any trust related to its existence. -- Neredbojias http://www.neredbojias.net/ Great sights and sounds

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode