Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

difference between private ssl and CA

difference between private ssl and CA

svgnamysvgnamy Member
edited October 2012 in General

Is a ssl from an authority more secure than an ssl issued yourself.

Comments

  • wdqwdq Member

    They have pretty much the same security. The problem with a cert issued by yourself is that users will see it as an untrusted certificate which is fine for things that you use personally. But if you are going to have a secured website where you accept orders something like a self signed certificate is a bad idea.

  • so it's the same, but a CA gives your customers piece of mind. Thanks

  • You risk your CA being stolen, compromised actually if you issue from your own CA.

    Selling multiple 2000-user GApps :) Shoot me a message to make an offer.

  • SSL is a big part about the trust model. Browsers and OSes have said, we trust these CA's to make sure that they give out correct certificates and correctly validate those who they trust to give out certificates. If they don't do it correctly then the trust is broken and thus the chain.

    SSL without the trust model makes that everyone can give out a certificate, encrypt things and sign things, but do you know for sure that they are who they say they are? An CA tries to solve that problem by validating someones identity, either via face to face checks or by validating that someone is the owner of a domain. If you have an untrusted certificate it is because "we" do not trust that certificate because it misses the validation process, which is IMHO a big part of the whole ssl trust model.

    And yes, that also can go haywire, look at what happend to Diginotar, a dutch CA certified to give out Government level certificates. Had a high secure environment, still got hacked. Or, a CA can do the validation wrong, and give out a valid certificate to someone who has lied. Therefore there are ideas to set up a decentralized model where certificates are ranked, the more people trust it, the more it is to be seen as trusted. (Like with pgp/gpg keys).

    So, TL;DR, a signed certificate is IMHO more secure because of all the validations that come with such a certificate.

    (And yes, I do look at the fingerprint, my browser warns me when that changes, and yes, if someone asks me to add a untrusted certificate I ask them for the fingerprint to validate it. And yes, I have the fingerprint of my Banks Certificate written down.)

    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
    Thanked by 1Xeoncross
  • You can get an introduction to this with StartSSL which provides free certs recognized by most browsers.

  • pcanpcan Member
    edited October 2012

    @Raymii said: So a signed certificate is IMHO more secure because of all the validations that come with such a certificate.

    I have doubts about the validations that are done by most SSL certification providers. When I buy or renew a standard SSL or code signing certificate from Thawte, I get a phone call to the office phone and a Thawte representative ask if I placed a certificate order. This is close to a real validation (and you expect this from a bloody expensive certification authority), but they still don't ask for a official identification document. When I buy a SSL certificate from a budget provider, I get no phone call or email at all; maybe the only "validation" is on the credit card payment.

  • @pcan there are different levels of trust/verifications for certificates.

    For a 10$ ordinary SSL certificate you only have to verify that you are the website/domain owner but noone checks your identity.

    When buying a 300$ EV SSL certificate (the one that makes the browser bar even greener) you will also have to provide proof for your identity/company.

  • SSL, WOT with PGP, and most other forms of key/pair encryption all have to do with asking a third party to verify someone is who they say they are and are not lying.

    Anyone can say they are "Bob" and give you they're cert or public key - but how do you know they aren't lying? That is what MITM attacks vs WOT or CA root certs are about.

Sign In or Register to comment.