About self-signed certificates
In connection with my participation in the project fin-ack.com, I constantly encounter similar remarks:
As for me, this is one of the cases of misunderstanding and prejudice, which are so many about security on the Internet. (Like the famous “Hackers, crackers, spam, cookies” :). I want to take it apart from two points of view: as a person who has worked for some time in the field of information security in a bank and dealt with most aspects of information security, and as a person engaged in developing and developing an Internet service.
But first I will answer the question, why do we not have a “normal” certificate? (Actually, there is a recent time :) The main reason is that in our list of priorities this item stood at the N-th place, and only now all N-1 of the previous items have been fulfilled. When you work on a new project, you always have to give up something, because the resources, primarily temporary, are limited ...
And why did he stand already in the N-th place?
First, why do I need an SSL certificate? In order to encrypt the HTTP-connection between the browser and the site on which the password and some other confidential data will be transmitted. What will change if the certificate is not signed by a trusted certificate authority? Nothing! The connection will still be encrypted exactly the same. The only possible problem is the man-in-the-middle attack, which is usually phishing or pharming on the Internet.
But many people put more sense into an SSL certificate:
We perfectly understand that such an opinion has the right to life. But everything is not so simple. Nothing prevents you from buying a certificate from Verisign or another vendor for a fake office or false personal data. They cannot verify that the client has legal grounds to impersonate the conditional LLC “Horns and Hoofs” from Perm, Russian Federation. The only thing checked when issuing a certificate is whether the domain for which you are requesting it belongs to you.
So, as for me, buying a certificate from Verisign is only a demonstration that the company is ready to throw away $ 500 and a few man-hours, or even more to settle all organizational issues, instead of spending this time. and money to develop new features or a real improvement in system security. In general, Verisign is for banks. There are other vendors that are easier and cheaper (for example, below).
')
But, most importantly, another. Any computer system is as vulnerable as its least protected link is vulnerable. A good approach to security is always a set of measures, in which you need to take into account all the risks and give everyone proper attention. Let me try to list the main risks of user data security for a standard Internet project dealing with personal information (web mail, personal bookkeeping, etc.) in order of importance:
Phishing / pharming (man-in-the-middle), in my opinion, is one of the least important risks, because it is much harder to implement, it will be quickly blocked and, therefore, such an attack makes sense only for systems with a very large number of users from which you can quickly catch very valuable data (classic example: internet banking). Compared to this, it is much easier to launch the vulnerability scanner and find that the old version of OpenSSH is used on the system or some patch is not installed on Windows (thousands of such testers are knocking us every day :). Or detect some kind of XSS or SQL injection vulnerability. This is not to mention the more complex problems of creating secure Internet systems, such as, for example, the correct use of sessions (and cookies) for authentication. This is what you need to pay attention to in the first place!
Another security aspect associated with certificates. Whether it is self-signed or issued by Verisign, it is still associated with a secret key that needs to be stored somewhere. Moreover, it is constantly used by the web server when opening HTTPS connections, i.e. It can not be used once when you turn on the power, save it to a USB flash drive and hide it in a safe. What happens if someone takes possession of the key? (a programmer who had access to the server, a cracker, or someone else). Ideally, this key is encrypted, but if desired, and if resources are available, it can be decrypted (and now it is cheaper than organizing a phishing attack). But we did not take into account that some web servers or reverse proxies do not know how to work with encrypted keys at all. And after all, a password can be hard-cocked somewhere in the text of a program or a script that launches it ... So, the fact that some website has a tag that its SSL certificate is signed by Verisign does not guarantee that one day There is no pharming counterpart using the same certificate with the stolen secret key.
Here I don’t even remember about aspects related to the PKI system, as features of its support on various specific platforms, such as j2me ...
Summary: there are things that are generally correct, but not always worth the effort. The concentration of start-ups should be on the other, and little things like “correct” certificates should go second-tier. First, as the Americans say, you need to get the product right. Everything has its time.
PS As a matter of fact, I understand that the way you try to change public opinion is easier to adapt to it, so we already have the “right” certificate (the time has come). By the way, which costs 10 times cheaper than most (thanks GoDaddy!). The purpose of this article is primarily to once again touch on the inexhaustible topic of information security on the Internet and try to put the accents in one of its aspects correctly.
I don’t trust your self-signed certificate, why don’t you buy a “normal” certificate?
As for me, this is one of the cases of misunderstanding and prejudice, which are so many about security on the Internet. (Like the famous “Hackers, crackers, spam, cookies” :). I want to take it apart from two points of view: as a person who has worked for some time in the field of information security in a bank and dealt with most aspects of information security, and as a person engaged in developing and developing an Internet service.
But first I will answer the question, why do we not have a “normal” certificate? (Actually, there is a recent time :) The main reason is that in our list of priorities this item stood at the N-th place, and only now all N-1 of the previous items have been fulfilled. When you work on a new project, you always have to give up something, because the resources, primarily temporary, are limited ...
And why did he stand already in the N-th place?
First, why do I need an SSL certificate? In order to encrypt the HTTP-connection between the browser and the site on which the password and some other confidential data will be transmitted. What will change if the certificate is not signed by a trusted certificate authority? Nothing! The connection will still be encrypted exactly the same. The only possible problem is the man-in-the-middle attack, which is usually phishing or pharming on the Internet.
- When phishing, the user is redirected to a site with a similar URL. At the same time, a warning about the certificate will appear in the browser (the same warning appears when you first access a real site with a self-signed certificate).
In general, in this situation it is enough just to look at which domain the certificate belongs to, and if this is the domain that you wanted to enter, add the certificate to the trusted ones. After that, any message about the untrusted certificate for this site can be perceived as an alarm bell. - The difference in pharming is that in this case the user will get to the site he wanted (judging by the URL). However, as with phishing, he will be shown a message about an untrusted certificate.
But many people put more sense into an SSL certificate:
... If the certificate is issued by some Verisign (for example), then this is a kind of "guarantee" that this site is a real organization / individual and at least "there is someone to ask if anything happens." Those. in general, it is a guarantee of the "seriousness" of the intentions of the site owners.
We perfectly understand that such an opinion has the right to life. But everything is not so simple. Nothing prevents you from buying a certificate from Verisign or another vendor for a fake office or false personal data. They cannot verify that the client has legal grounds to impersonate the conditional LLC “Horns and Hoofs” from Perm, Russian Federation. The only thing checked when issuing a certificate is whether the domain for which you are requesting it belongs to you.
So, as for me, buying a certificate from Verisign is only a demonstration that the company is ready to throw away $ 500 and a few man-hours, or even more to settle all organizational issues, instead of spending this time. and money to develop new features or a real improvement in system security. In general, Verisign is for banks. There are other vendors that are easier and cheaper (for example, below).
')
But, most importantly, another. Any computer system is as vulnerable as its least protected link is vulnerable. A good approach to security is always a set of measures, in which you need to take into account all the risks and give everyone proper attention. Let me try to list the main risks of user data security for a standard Internet project dealing with personal information (web mail, personal bookkeeping, etc.) in order of importance:
- Not enough thoughtful access to confidential data, which has holes
- Problems in the software that is used by the system (OS, web server, implementation of encryption protocols), allowing hacking
- Attacks like man-in-the-middle, social engineering
Phishing / pharming (man-in-the-middle), in my opinion, is one of the least important risks, because it is much harder to implement, it will be quickly blocked and, therefore, such an attack makes sense only for systems with a very large number of users from which you can quickly catch very valuable data (classic example: internet banking). Compared to this, it is much easier to launch the vulnerability scanner and find that the old version of OpenSSH is used on the system or some patch is not installed on Windows (thousands of such testers are knocking us every day :). Or detect some kind of XSS or SQL injection vulnerability. This is not to mention the more complex problems of creating secure Internet systems, such as, for example, the correct use of sessions (and cookies) for authentication. This is what you need to pay attention to in the first place!
Another security aspect associated with certificates. Whether it is self-signed or issued by Verisign, it is still associated with a secret key that needs to be stored somewhere. Moreover, it is constantly used by the web server when opening HTTPS connections, i.e. It can not be used once when you turn on the power, save it to a USB flash drive and hide it in a safe. What happens if someone takes possession of the key? (a programmer who had access to the server, a cracker, or someone else). Ideally, this key is encrypted, but if desired, and if resources are available, it can be decrypted (and now it is cheaper than organizing a phishing attack). But we did not take into account that some web servers or reverse proxies do not know how to work with encrypted keys at all. And after all, a password can be hard-cocked somewhere in the text of a program or a script that launches it ... So, the fact that some website has a tag that its SSL certificate is signed by Verisign does not guarantee that one day There is no pharming counterpart using the same certificate with the stolen secret key.
Here I don’t even remember about aspects related to the PKI system, as features of its support on various specific platforms, such as j2me ...
Summary: there are things that are generally correct, but not always worth the effort. The concentration of start-ups should be on the other, and little things like “correct” certificates should go second-tier. First, as the Americans say, you need to get the product right. Everything has its time.
PS As a matter of fact, I understand that the way you try to change public opinion is easier to adapt to it, so we already have the “right” certificate (the time has come). By the way, which costs 10 times cheaper than most (thanks GoDaddy!). The purpose of this article is primarily to once again touch on the inexhaustible topic of information security on the Internet and try to put the accents in one of its aspects correctly.
Source: https://habr.com/ru/post/54018/
All Articles