[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Self signed certs better? - THE OFFICIAL BLOG OF THE SBS DIVA
Tue, Dec 30 2008 18:26 bradley

Self signed certs better?

Indy has a comment that self signed certs are now "more secure" than third party ones.

http://msmvps.com/blogs/bradley/archive/2008/12/30/the-sky-is-only-partially-falling-today.aspx#comments

I disagree.  Why?  Because we're training our end users to blindly click on certificates.  So are you going to sit down with folks and tell them to go ahead and examine each time they use a self signed cert?  I don't think you will, but that's what we'll need to ask someone.  Can they trust the certificate chain all the way back?  Can you train them on what to look for for bad certificates?  Granted our best mitigation is to train users to be more paranoid and not blindly click in general.

"Most attack will probably still use bad certificates and ask the user to click "ok" to accept the bad certificate."

http://isc.sans.org/diary.html?storyid=5590

 

Filed under:

# re: Self signed certs better?

Wednesday, December 31, 2008 10:34 AM by Gavin

I agree 100% Susan.

The yearly cost of a Thawte certificate is $149.00. this can (and in my opinion SHOULD) be easily built into any new network proposal, and solve all CERT issues in a small business network.

We'll never install a self signed cert again. It's just not necessary today.

# re: Self signed certs better?

Thursday, January 01, 2009 3:34 PM by Jeff Dempsey

I'm with you on this one, Gavin.  The GoDaddy ones are sha1RSA (to find out, go to MMC->Add Snap In->Certificates>Local Computer, and in the third-Party Root Certificates, double click your root certificate provider), and they should not be affected by this.

We too never let the self signed one sit.  It brings into play complacency, and makes a lot of issues go away.  For $30/year, I tell my clients that it is worth it.  For them (and for me...)