Doom9.org self-signed certificate

Chumbo · 13th February 2012, 21:11

Quote:

Originally Posted by CruNcher

@Dan

https://forum.doom9.org/showpost.php...postcount=6977

Is the link supposed to be a secured link? Just noticed it and tried it and looks like has a bogus certificate?

LoRd_MuldeR · 13th February 2012, 21:19

Quote:

Originally Posted by Chumbo

Is the link supposed to be a secured link? Just noticed it and tried it and looks like has a bogus certificate?

That obviously is a self-signed certificate.

If you don't want to pay a CA for a "real" certificate or if you just want to have something for testing your server, creating a self-signed certificate is reasonable.

For obvious reasons the web-browser cannot check the validity of a self-signed certificate, because it was not signed by one of the trusted CA's whose root-certificate is known.

Anyway, you can still check the fingerprint of the self-signed certificate yourself and then it can be just as "secure" as a certificate that was signed by some trusted CA...

(Of course somebody would have to tell you the correct fingerprint of the certificate - either "offline" or through some tamper-proof channel - so you can verify it)

Midzuki · 13th February 2012, 21:40

Anyway, it seems Cruncher likes to surf on these forums through https instead of plain http.

Only recently I've noticed that ALL of his links to a post on doom9.org use https.

mpucoder · 14th February 2012, 03:07

The big difference with self-signed and certified is about doing business with a site - can they be trusted to process a credit card order, are they legitimate, etc. For that you would want a site that has been certified. However any https connection is encrypted, therefore protected from sniffers (electronic eavesdropping).

Chumbo · 14th February 2012, 04:44

Quote:

Originally Posted by LoRd_MuldeR

That obviously is a self-signed certificate.

If you don't want to pay a CA for a "real" certificate or if you just want to have something for testing your server, creating a self-signed certificate is reasonable.

For obvious reasons the web-browser cannot check the validity of a self-signed certificate, because it was not signed by one of the trusted CA's whose root-certificate is known.

Anyway, you can still check the fingerprint of the self-signed certificate yourself and then it can be just as "secure" as a certificate that was signed by some trusted CA...

(Of course somebody would have to tell you the correct fingerprint of the certificate - either "offline" or through some tamper-proof channel - so you can verify it)

Yeah, I shouldn't have used the word "bogus" but I was more curious than anything else. Your explanation is nicely done to help others who may not be sure about the self-signed certificate. Thanks a lot.

LoRd_MuldeR · 14th February 2012, 12:51

Quote:

Originally Posted by mpucoder

The big difference with self-signed and certified is about doing business with a site - can they be trusted to process a credit card order, are they legitimate, etc. For that you would want a site that has been certified. However any https connection is encrypted, therefore protected from sniffers (electronic eavesdropping).

I don't want to be picky, but that's not the whole truth. An encrypted connection is pretty much useless as long as you can't determine with whom you are making an encrypted connection! As long as the certificate has not been verified, you may be making an encrypted connection with the Doom9 server - but you may be making an encrypted connection with some attacker, who is acting as a "man in the middle" and who just pretends to be the Doom9 server, just as well. In the latter case, you would be using an "secure" encrypted HTTPS connection, yes, but the end-point of that connection is the attacker's computer. Bummer!

That's why certificates need to be verified and why an encrypted connection without an approved certificate is pointless. Still, a self-signed certificate can be just as "genuine" and "secure" as one that was signed by a trusted CA. The only difference is, that the self-signed one has to be verified by hand (by checking its fingerprint). It simply can not be verified automatically by the PKI. After all, all the "root" certificates your browser contains are self-signed too...

BTW: After the recent incidents, I would trust a self-signed certificate (which you have verified yourself!) much more than one that was signed by a CA

14th February 2012, 19:31

One of the big issues that Chrome has, though I'd assume other brower's might as well, is that the self-signed cert doesn't match the URL of this site. Even after installing it in the trusted root store, it will still complain due to that reason. Luckily it can be bypassed but whenever Chrome is closed and then opened again it will display the huge warning page whenever you want to come back here via https.

13th February 2012, 21:40	#3 \| Link
Midzuki Unavailable Join Date: Mar 2009 Location: offline Posts: 1,480	Anyway, it seems Cruncher likes to surf on these forums through https instead of plain http. Only recently I've noticed that ALL of his links to a post on doom9.org use https.

14th February 2012, 03:07	#4 \| Link
mpucoder Moderator Join Date: Oct 2001 Posts: 3,530	The big difference with self-signed and certified is about doing business with a site - can they be trusted to process a credit card order, are they legitimate, etc. For that you would want a site that has been certified. However any https connection is encrypted, therefore protected from sniffers (electronic eavesdropping).

14th February 2012, 19:31	#7 \| Link
amtm Guest Posts: n/a	One of the big issues that Chrome has, though I'd assume other brower's might as well, is that the self-signed cert doesn't match the URL of this site. Even after installing it in the trusted root store, it will still complain due to that reason. Luckily it can be bypassed but whenever Chrome is closed and then opened again it will display the huge warning page whenever you want to come back here via https.