Actually, there is sometimes a way for people to review and validate
self-signed certificates. If you can provide the user the
certificate's thumbprint/hash and trust the user to validate it (a
very high difficulty in implementation and use) then the user can
trust the certificate's authenticity.
That said, there is usually a better way of doing this.
Greg
On Apr 16, 2012, at 7:43 AM, Thugzclub Thugzclub
<thugzclub (at) googlemail (dot) com [email concealed]> wrote:
> using self signed certificate does not provide any authentication
> guarantees to the user that is connecting to the system. Reason being
> that the user has not strong way of validating that the contents of
> the certificates have not been changed or generated by another user.
> Consequently they have not assurance of the identity of the system
> that they are connecting to...The same applies even if they are
> reviewing the contents of the certificate...
>
>
> It should only be advised in low risk environment such as a
> local/intranet environment. Its not advisable for external systems.
>
> On 13 April 2012 12:47, _ <packetnull (at) gmail (dot) com [email concealed]> wrote:
>> and to add your goal on setting up a * ssl (from my understanding looks like you want a wildcard ssl) is a bad idea as well because it defeats the purpose of validating that a specific cert is owned by a specific server
>>
>> On Apr 9, 2012, at 9:11 PM, Stephanus J Alex Taidri <securityfocus.ae (at) taidri (dot) com [email concealed]> wrote:
>>
>>> Hi Robert,
>>>
>>> The problem with self-signed-certificate is you really need to educate
>>> the users and ensure they always check for the certificate issuer,
>>> expiry, other parameters, etc before accepting the sessions.
>>>
>>> As we know... most users don't bother and just click Accept.
>>>
>>> That's mean, if the hijacker using MITM attack able to intercept your
>>> traffic (which is easy if this is traverse the internet) and present
>>> their own self-signed-certificate, most users do not aware and will
>>> still Accept the connection, thus being hijacked.
>>>
>>> Therefore it's imperative to implement a valid certificate either for
>>> public CA or private CA as long as the chain can be validate back and
>>> user's browser able to validate the authenticity of the certificate.
>>>
>>> Kind regards,
>>> SJ Alex Taidri
>>>
>>> On Fri, Apr 6, 2012 at 7:21 AM, Robert Smith <robert.smith2929 (at) gmail (dot) com [email concealed]> wrote:
>>>> Hello all,
>>>>
>>>> I would like to know what are all security risk if i set rdp over ssl with a selfsigned certificat .
>>>>
>>>> One example, is it possible that the certificate become corrupted ? What are the impacts ? DoEs exists some recovery solution ?
>>>>
>>>> Man in the middle , is it yet possible ?
>>>>
>>>> My principal problem is to deploy a certificate signed by our ca on all our servers ?
>>>>
>>>> À certificate with * character resolve my problem ?
>>>> ------------------------------------------------------------------------
>>>> Securing Apache Web Server with thawte Digital Certificate
>>>> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>>>
>>>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>>>> ------------------------------------------------------------------------
>>> Securing Apache Web Server with thawte Digital Certificate
>>> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>>
>>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>>> ------------------------------------------------------------------------
>> Securing Apache Web Server with thawte Digital Certificate
>> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
self-signed certificates. If you can provide the user the
certificate's thumbprint/hash and trust the user to validate it (a
very high difficulty in implementation and use) then the user can
trust the certificate's authenticity.
That said, there is usually a better way of doing this.
Greg
On Apr 16, 2012, at 7:43 AM, Thugzclub Thugzclub
<thugzclub (at) googlemail (dot) com [email concealed]> wrote:
> using self signed certificate does not provide any authentication
> guarantees to the user that is connecting to the system. Reason being
> that the user has not strong way of validating that the contents of
> the certificates have not been changed or generated by another user.
> Consequently they have not assurance of the identity of the system
> that they are connecting to...The same applies even if they are
> reviewing the contents of the certificate...
>
>
> It should only be advised in low risk environment such as a
> local/intranet environment. Its not advisable for external systems.
>
> On 13 April 2012 12:47, _ <packetnull (at) gmail (dot) com [email concealed]> wrote:
>> and to add your goal on setting up a * ssl (from my understanding looks like you want a wildcard ssl) is a bad idea as well because it defeats the purpose of validating that a specific cert is owned by a specific server
>>
>> On Apr 9, 2012, at 9:11 PM, Stephanus J Alex Taidri <securityfocus.ae (at) taidri (dot) com [email concealed]> wrote:
>>
>>> Hi Robert,
>>>
>>> The problem with self-signed-certificate is you really need to educate
>>> the users and ensure they always check for the certificate issuer,
>>> expiry, other parameters, etc before accepting the sessions.
>>>
>>> As we know... most users don't bother and just click Accept.
>>>
>>> That's mean, if the hijacker using MITM attack able to intercept your
>>> traffic (which is easy if this is traverse the internet) and present
>>> their own self-signed-certificate, most users do not aware and will
>>> still Accept the connection, thus being hijacked.
>>>
>>> Therefore it's imperative to implement a valid certificate either for
>>> public CA or private CA as long as the chain can be validate back and
>>> user's browser able to validate the authenticity of the certificate.
>>>
>>> Kind regards,
>>> SJ Alex Taidri
>>>
>>> On Fri, Apr 6, 2012 at 7:21 AM, Robert Smith <robert.smith2929 (at) gmail (dot) com [email concealed]> wrote:
>>>> Hello all,
>>>>
>>>> I would like to know what are all security risk if i set rdp over ssl with a selfsigned certificat .
>>>>
>>>> One example, is it possible that the certificate become corrupted ? What are the impacts ? DoEs exists some recovery solution ?
>>>>
>>>> Man in the middle , is it yet possible ?
>>>>
>>>> My principal problem is to deploy a certificate signed by our ca on all our servers ?
>>>>
>>>> À certificate with * character resolve my problem ?
>>>> ------------------------------------------------------------------------
>>>> Securing Apache Web Server with thawte Digital Certificate
>>>> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>>>
>>>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>>>> ------------------------------------------------------------------------
>>>>
>>>
>>> ------------------------------------------------------------------------
>>> Securing Apache Web Server with thawte Digital Certificate
>>> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>>
>>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>>> ------------------------------------------------------------------------
>>>
>>
>> ------------------------------------------------------------------------
>> Securing Apache Web Server with thawte Digital Certificate
>> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>> ------------------------------------------------------------------------
>>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]