Re: Certificate Fraud
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 02/10/05
- Next message: hs: "decrypting messages"
- Previous message: Benjy: "CERTREQ for smart card not working"
- In reply to: rd: "Certificate Fraud"
- Next in thread: rd: "Re: Certificate Fraud"
- Reply: rd: "Re: Certificate Fraud"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Feb 2005 05:33:51 -0800
You have hit on the core issue. if you can install an untrusted (fake) CA
on your machine, they could impersonate users and services and you would not
know that they are fraudelent. This is why we protect and control the
trusted root CA store on machines to ensure that users install roots that
they trust. In most cases, a user should never need to add a rtoot CA and
in enterprises this can be managed by GPO.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. Top Whitepapers: Auto-enrollment whitepaper: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx Best Practices for implementing Windows Server 2003 PKI: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx Troubleshooting Certificate Status and Revocation whitepaper: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx Windows Server 2003 web enrollment and troubleshooting guide: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx Windows Server 2003 web enrollment and troubleshooting guide: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx "rd" <anonymous@discussions.microsoft.com> wrote in message news:295301c50f22$ecb385a0$a501280a@phx.gbl... > Hi there, > > I don't know if this is a silly question but here goes... > > Could somebody set up their own certificate servers to > create a fake end-entity certificate saying they were > someone they aren't, and pretending to be issued from a > trusted source? > > If they were then able to install this end-entity > certificate and the fake CA certificates on an > unsuspecting persons machine, this would then pass > certificate chain verification. Is there any way the > unsuspecting person could tell when data was sent from the > imposter or the genuine person? > > Thanks, > rd. >
- Next message: hs: "decrypting messages"
- Previous message: Benjy: "CERTREQ for smart card not working"
- In reply to: rd: "Certificate Fraud"
- Next in thread: rd: "Re: Certificate Fraud"
- Reply: rd: "Re: Certificate Fraud"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
