Can't I trust the Postal Service? Part 2 - the certificate.

re: Can't I trust the Postal Service? Part 2 - the certificate.

Alun Jones — Mon, 05 Nov 2007 02:04:43 GMT

It was at a usps.gov site, but the site has been changed since then - now all usps.gov references get redirected to usps.com.

So you won't be able to replicate the issue with live references to existing sites. You'll have to rely on my historical description.

re: Can't I trust the Postal Service? Part 2 - the certificate.

U NO HOO — Sun, 04 Nov 2007 23:36:29 GMT

usps.gov or usps.com?

re: Can't I trust the Postal Service? Part 2 - the certificate.

Alun Jones — Wed, 19 Sep 2007 16:53:26 GMT

No, it comes down to how confident you are that every one of your servers are secure. There's a big difference.

If you use individual certificates for individual services (which may be spread across several servers), the strength of each certificate is dependent on the weakest of the servers within that service - but not dependent on the strength of any server outside the service.

If you use a wildcard certificate for any service within your domain, then every server in your domain may be spoofed if an attacker can get at any one of those servers that uses a wildcard certificate.

Note that this also means that you can't use a non-wildcard certificate to get "better security" inside your domain, because the wildcard certificate will still work to spoof that site. (e.g. if you registered certificates at *.example.com and securesite.example.com, an attacker who gets the key for *.example.com can use that certificate to pretend to be securesite.example.com also)

re: Can't I trust the Postal Service? Part 2 - the certificate.

Orca — Wed, 19 Sep 2007 03:37:02 GMT

Thanks for teh discussion. We have been discussing this internally, and are trying to come up with risk profile.

Of your Negitives, 3 are associated with cost, these are realtivly easily quantified, and in reality most will be motivated to to go with wildcards to reduce costs (its why we are condisering it) so that just becomes an excercise to ensure you are capturing all teh end to end costs.

Your final point re 3rd party hosting is valid, but avoidable. I agree that if you go for wildcards you can't outsource that domain. In fact you need to make sure you control your domain very tightly.

Which leaves us with increased attack surface. How likly is it for someone to "crack" your certificate? Hopefully not very or else the entire SSL infrastructure is worthless. So I assume that you are saying if you have multiple copies of a certificate that increases the chance someone will compromise one of them, and steal the certificate.

So I guess it comes down to how confidant you are your server is secure, and that if it becomes compromised you will notice it before the attacker can take advantage of it.