Re: How can I act as a Certificate Authority (CA) with openssl ??

From: Dr. David Kirkby (see_my_signature_for_my_real_address_at_hotmail.com)
Date: 09/29/04 

Date: 29 Sep 2004 04:17:52 -0700

Bruno Wolff III <bruno@cerberus.csd.uwm.edu> wrote in message news:<slrncljgop.avp.bruno@cerberus.csd.uwm.edu>...
> In article <c99d2c79.0409280255.cbb9e6d@posting.google.com>, Dr. David Kirkby wrote:
> > But as far as I am aware, there is nothing legally (in the UK at
> > least) stopping me signing a digital certificate, verifying the
> > identity of someone else, then putting that on a web site. Of course,
> > whether a third party chooses to trust me is entirely up to them.
> > Being a 'nobody', I don't suppose others would attach too much weight
> > to it.
>
> There isn't. From what you said the only reason for you to consider
> paying for a certificate is that it might be simpler for you.

I'm interested in how it is done technically, so finding a simple
solution does not bother me too much. I enjoy technically challenging
things. Throwing money at a problem is not my idea of fun.

Amateur radio (ham radio) has been spoilt by this. Whereas years ago,
everyone built their own equipment and understood it, now that is very
rare indeed. 99.9% of radio hams just go to a shop, spend a fortune
(usually on interest free credit), then plug it all in. Many are
incapable of soldering a plug on the end of a bit of cable. That has
spoit it a lot for me.

> The "Mickey Mouse" comment was wrong as well. You might run into a trademark
> problem if you were selling certificates using "Mickey Mouse" as the
> organization name, but for your own private certs this isn't a problem.

Well, whatever the situation with requard to Micky Mouse, I will not
be doing that. I was only meant as a joke - the term seems to be used
in this way in the UK. We might well say a company is 'a mickey mouse
outfit' indicating they are not very professional.

I once gave a talk about computer security at work (I might not be an
expert, but I know more than most). To get over the point about how
easy it is to spoof emails, I sent everyone an email, that appeared to
come from Micky Mouse.

> > I can see that the cost of certificates might make some companies
> > think about doing their own.
 
> The main problem with doing your own and not controlling the browsers
> used to access the web site is that people will get scary warnings
> from their browser. The browser maker and cert orgs like this since
> companies with pay money to the cert companies to avoid scaring away
> customers and the cert companies pay the browser companies to include
> their certs as trusted by default.

In my particular instance, the people given access to the site are
friends of a friend, and he only invisages half a dozen or so having
the password. Hence those people will just be told the problem with
the certificate. There is no payment for access to the data - just
free to those who he needs to share it with. As such, in this case,
there is no point at all in him paying for a certificate.

I realise if you are doing credit card transactions there is not much
alternative but to buy a certificate.

But for other uses, there are no doubt occasions where it is viable to
avoid the cost, if the users are warned.

> The whole thing is a big scam as
> it doesn't protect people from going a different site than they meant
> that also has a valid cert and it doesn't protect information stored
> at the remote site.

True. The certificate only verifies who you are - not what your
background is.

> Most credit card theft from web transactions is
> going to come from data that is stored at the remote site, not by
> sniffing it in transit.

True.

What I find a bit odd is the web pages where they ask you to put say
the 2nd and the 4th chaacter of a password. That means the password is
stored in plain text. Whereas if you ask for the whole password, it is
possible (and sensible) to store it in an encrypted format. I can't
see how you can encrypt a password in any half-secure way, if you ask
for part of it.

Dr. David Kirkby.

Relevant Pages

  • Re: HTTPS proxy tool that resigns SSL certs
    ... having access to import a certificate into the browser. ... Your approach won't work, since your cert for attacker.com will most likely never match the URL that the victim's browser is expecting, and they will get a warning. ... Everything hinges on your being able to get a cert THAT MATCHES THE SITE THAT THE VICTIM IS GOING TO signed with a key that the browser will accept and valid for the current date. ... Compromise a recognised CA's verification checks to convince them to issue you a certificate for the target site. ...
    (Pen-Test)
  • [Full-disclosure] Certificate spoofing issue with Mozilla, Konqueror, Safari 2
    ... This makes the user vulnerable to certificate spoofing by ... Assumed a phisher could redirect a user's browser to his prepared ... so the cert looks ok. ...
    (Full-Disclosure)
  • Certificate spoofing issue with Mozilla, Konqueror, Safari 2
    ... This makes the user vulnerable to certificate spoofing by ... Assumed a phisher could redirect a user's browser to his prepared ... so the cert looks ok. ...
    (Bugtraq)
  • Re: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You ShouldNotFollow
    ... The Cert box is nearly impossible to spoof because you would have to spoof ... second SSL cert for the real bank host name. ... and wrote the bottom of the browser to ... It is possible that the Codefish technique could work if the Pharming was active during the bookmarking when checking the certificate credentials. ...
    (Full-Disclosure)
  • Re: ADFS Token-signing Certs Not in Trusted Root Store
    ... This is good info, Joe. ... So now I know that the token-signing certificate is ... Get a signing cert from a CA ... case, you never have to worry about expiration or CRL checking, as your cert ...
    (microsoft.public.windows.server.active_directory)