On Saturday 16 January 2010 10:56:29 Vadkan Jozsef wrote:
> ..I mean does an outdated self-signed certificate give the same security
> as a normal cert?
It depends on what you mean by security. You do get the same level of end-to-
end encryption -- so attackers attempting to read the connection after it has
been established will be stymied.
However, you do not get the same level of authenticity verification. So, you
don't know the validity of the end point you are negotiating with. This
allows an attacker to attack the connection setup -- a man-in-the-middle
attack. A successful man-in-the-middle attack results in total compromise of
the data transferred; the attacker can both record and manipulate the data
exchanged in either direction or both.
Depending on the user agent (browser), once the user has accepted a self-
signed certificate for a certain domain the user might not be prompted about
the same certificate (based on secure hash) for the same domain. In this
case, if the first connection was NOT intercepted, future connections would
NOT be subject to man-in-the-middle attack. Also, if the first connection WAS
intercepted and future connections were NOT, the user would be prompted
because the certificate presented would have changed (based on secure hash).
Finally, if users or user agents can be transmitted the expected hash of a
self-signed certificate presented by a certain domain using a secure path
prior to establishing the connection, the self-signed certificate is as good
as one with a cert chain ending in a CA. The CA infrastructure is established
as a means of confirming the hash <-> domain mapping without every site having
to communicate their hash to every potential user.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
b...@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/\_/
signature.asc
Description: This is a digitally signed message part.
