SSL

[m0ldy]

Not to revive an oldie, but the correct thing would be to use mod_rewrite and force all over https. Many hosts provide this via .htaccess files.


Would it be an option to donate a real SSL cert? you can pick them up for ~45 now.


Anything I run on the web has paid SSL certs, as accepting self signed just gets you in the habit of accepting certs. MITM attacks can happen and you wouldn't even know.

[iTpHo3NiX]

Not to revive an oldie, but the correct thing would be to use mod_rewrite and force all over https. Many hosts provide this via .htaccess files.


Would it be an option to donate a real SSL cert? you can pick them up for ~45 now.


Anything I run on the web has paid SSL certs, as accepting self signed just gets you in the habit of accepting certs. MITM attacks can happen and you wouldn't even know.

Name some sites with paid SSL certs? Even Google doesn't run a paid SSL cert... Everyone I know signs them themselves. And please elaborate how accepting a self-signed SSL cert can make a MITM attack happen?

[Fur]

Name some sites with paid SSL certs? Even Google doesn't run a paid SSL cert... Everyone I know signs them themselves. And please elaborate how accepting a self-signed SSL cert can make a MITM attack happen?

Google's cert is verified, they've just acted as their own CA (or whatever it's called).
A few sites that use a paid cert:
Facebook.
Every bank I can name.
Wikipedia.

It all comes down to, can you determine that you are using the same crypto key that the server is? The reason for signing certificates and the like is to try to detect when you are being hit with a man-in-the-middle attack. In a nutshell, that attack is when you try to open a connection to your 'known' IP address, say, 123.45.6.7. Even though you are connecting to a 'known' IP address of a server you trust, doesn't mean you can necessarily trust traffic from that IP address. Why not? Because the Internet works by passing data from router to router until your data gets to it's destination. Every router in between is an opportunity for malicious code on that router to re-write your packet, and you'd never know the difference, unless you have some way to *verify* that the packet is from the trusted server.
A crypto key, if you have the *correct* key, can verify for you that the data hasn't been tampered with. The problem is, however, that before you can begin encrypted communications, you must do an *unencrypted* key exchange, where the server gives you it's crypto key. Here's where the man-in-the-middle has an opportunity. If your traffic is going through my router, I can intercept the self-signed key from the server, and generate a new self-signed key with the same server name, etc in it, so that it *looks* like the self-signed key from your server, but which allows me to decrypt the communications between you and the server. My router then establishes a connection to the server using the *correct* key, and as data passes between you and the server, I unencrypt the data using the real key, then re-encrypt it using the 'fake' key. So, the data is encrypted between me and the server, and between me and you, but gets unencrypted in my router, giving me the opportunity to spy on your data, or even alter if if I want.
The point of a CA-signed certificate is to give slightly stronger verification that you are actually using the key that belongs to the server you are trying to connect to.
Yes, self-signed keys have some uses - in particular if you happen to know the real key's fingerprint (a fingerprint is a numeric or hex string which identifies a cryptographic key), so that you can verify yourself that you are using the correct key for SSL. If you don't happen to know the fingerprint, it's probably still fine to use self-signed certs on a LAN, where you control all the equipment, so don't have to worry so much about a man-in-the-middle (although, arguably, on a LAN you might not even need encryption).
So, in summary, yes, SSL adds security to the connection, but ONLY if you can verify that the correct SSL key for your server is being used, and not a different key that a hostile router has injected.

From https://www.sslshopper.com/article-when-are-self-signed-certificates-acceptable.html

But I'm no expert on SSL, so forgive me if this doesn't apply here for some reason.

[iTpHo3NiX]

No point in wasting money when you can just sign it yourself

so don't have to worry so much about a man-in-the-middle

That was all I read... So pay money for what?

[Fur]

No point in wasting money when you can just sign it yourself

I agree with you there.

Reading the text I posted, I think it means an attacker could replace the self-signed cert with his own during the key exchange (or whatever it's called).
Then, when data is sent, he can decrypt it because he replaced the key with his own.

So one would be paying to make sure the key is actually the real key, by the looks of it.

I think it'd be cheaper just to make note of the cert and check if the cert matches the one displayed when one does something.

Of course, I could be wrong, and as I said in my last post, I'm not an expert on SSL.

[bluechill]

I agree with you there.

Reading the text I posted, I think it means an attacker could replace the self-signed cert with his own during the key exchange (or whatever it's called).
Then, when data is sent, he can decrypt it because he replaced the key with his own.

So one would be paying to make sure the key is actually the real key, by the looks of it.

I think it'd be cheaper just to make note of the cert and check if the cert matches the one displayed when one does something.

Of course, I could be wrong, and as I said in my last post, I'm not an expert on SSL.

Actually he couldn't if you actually accept the correct one.  I can set up a CA for evilzone anyways and that would fix all your worries yet it would still show up flagged in the browser.....

[Fur]

Actually he couldn't if you actually accept the correct one.  I can set up a CA for evilzone anyways and that would fix all your worries yet it would still show up flagged in the browser.....

I didn't think about that, good point.

It seems I should look on SO before I say something haha: http://stackoverflow.com/questions/292732/

[bluechill]

I didn't think about that, good point.

It seems I should look on SO before I say something haha: http://stackoverflow.com/questions/292732/

Yes this is the reason why we use a self signed one however eventually I'll probably set up an evilzone certificate authority anyways just not right now.

[proxx]

The point made about MITM is true.
However it stops your ISP from logging everything in the clear.
Which is a good thing.

[Corrupted_Fear]

beautiful, I love this place ^^

[bluechill]

The point made about MITM is true.
However it stops your ISP from logging everything in the clear.
Which is a good thing.

Eh no it's not...  If you have accepted the certificate (the correct one) then a MITM attack is just as easy to tell as with verisigned ssl.