Mon, Nov 28 2005 21:38
So what's the risk of Self Signed Certs?
You've seen it haven't you? This: The self signed cert prompt before getting into RWW.
So you are probably wondering why... with all my paranoia I don't go out and buy a third party certificate that I can trust from someplace like instantssl.com?
Why do I trust them any more than I do my own box?
As it stands now I can make a workstation like my home one trust the certificate, I can easily click on View Certificate and examine that it came from my box, I can examine the SHA-1 thumbprint as I install it on my workstation.
An Expert on Encryption once came and did a presentation on the topic to our CPA group. And he made the point that why do we trust any third party publishing certificate anymore than we do ourselves? In the proper world of PKI and such topics, you should really meet a person face to face, swap identity information, and swap certificate information to ensure that you can confirm you got that certificate from that very person. So if I can explain the process to my employees, if I tell them what the SHA-1 thumbprint is if they really want to be paranoid and check this, what's the risk of a self-signed certificate once I've installed it on a workstation to then accept the cerificate from my server? Heck if I“m that paranoid I can type up the Thumbprint and have folks verify that.
Okay let's look how someone might trick me...or any of my employees that have remote access [remember not all do] with a self signed certificate especially if I've told them how to install it on their workstation once.
Okay they'd have to first build enough of web site that looked like the SBS front page. They'd have to grab the DNS records and redirect those settings to their system.
Do you get the idea that the risk of this...while ... I mean I can't honestly say it's non existent.... well let's just say that some bad guy is going to send a phishing email or trick one of employees to a web site to download malware is a greater risk. The risk that employees today were using up your bandwidth to do Christmas shopping is greater.
So why would you need a third party certificate?
Do you need one for cell phones? Nope. You can add the cert to the phone. In fact I do this all the time.
Do you need one for RWW for XP workstations? Nope. As you can see above.
When 'might' you need one? Macintoshes. But even then we have a workaround for that too.
So why do we need to have a third party web site that we don't have control over be a verifier for my SBS box that I do have control over? Some might say that using third party certs add more flexibility....but I just keep thinking about that padlock story.....
“There is a lesson here for security architects who worry at length about the number of bits of key to use in a cipher or the security of a CA, but not about the computer, operating system, protocol, human interface or physical environment of the application allegedly made secure by that cipher or PKI”
I'm spending my time and paranoia elsewhere thank you very much.....
Filed under: Security