On Saturday 16 January 2010 10:56:29 Vadkan Jozsef wrote: > ..I mean does an outdated self-signed certificate give the same security > as a normal cert?
It depends on what you mean by security. You do get the same level of end-to- end encryption -- so attackers attempting to read the connection after it has been established will be stymied. However, you do not get the same level of authenticity verification. So, you don't know the validity of the end point you are negotiating with. This allows an attacker to attack the connection setup -- a man-in-the-middle attack. A successful man-in-the-middle attack results in total compromise of the data transferred; the attacker can both record and manipulate the data exchanged in either direction or both. Depending on the user agent (browser), once the user has accepted a self- signed certificate for a certain domain the user might not be prompted about the same certificate (based on secure hash) for the same domain. In this case, if the first connection was NOT intercepted, future connections would NOT be subject to man-in-the-middle attack. Also, if the first connection WAS intercepted and future connections were NOT, the user would be prompted because the certificate presented would have changed (based on secure hash). Finally, if users or user agents can be transmitted the expected hash of a self-signed certificate presented by a certain domain using a secure path prior to establishing the connection, the self-signed certificate is as good as one with a cert chain ending in a CA. The CA infrastructure is established as a means of confirming the hash <-> domain mapping without every site having to communicate their hash to every potential user. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
signature.asc
Description: This is a digitally signed message part.
