[Sorry for the long gap before replying]
As far as I can tell, the following might work:
- get a certificate with an arbitrary domain name (say foo.bar.com)
- configure DNS to return 127.0.0.1 when clients want to convert
for.bar.com to an address
- supply the foo.bar.com certificate to the browser from localhost
Security on the local machine isn't really an issue - if the machine is
compromised then (as you say) there are much worse attacks than snooping
local data flow. The aim is to avoid browser warnings in a sequence of
transactions (which, when to remote machines, do need to be secure).
However, there is at least one attack I can think of if the client
software is widely distributed: the foo.bar.com certificate and key will
also become widely distributed and DNS spoofing would allow someone to
divert the connection to a malicious machine (ie not localhost).
Any comments, anyone? (thanks for previous replies; apologies again for
not replying for some time),
Andrew
Greg Stark wrote:
>
> Andrew,
>
> Ha, that's a good one. Seriously, I'd imagine they might be reluctant to
> issue it because the DN would not be unique. Does Verisign / Thawte insist
> on unique DN's? I would think they'd have to. That's what the D in DN is all
> about, right? You could add other unique information to the DN to solve this
> problem, like include an second CN with a real internet hostname. I have
> seen certs with multiple CN's.
>
> Would it work? It would be subject to a MITS (man-in-the-stack) attack,
> but you've got bigger problems if you got a man in your stack ;)
>
> Greg Stark, [EMAIL PROTECTED]
> Ethentica, Inc.
> www.ethentica.com
>
> ----- Original Message -----
> From: "Andrew Cooke" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, January 12, 2001 12:39 PM
> Subject: localhost certificate (no, really!)
>
> >
> > Hi,
> >
> > Is it possible to buy a "localhost" certificate from any of the major
> > suppliers? Is there any reason why it wouldn't work?
> >
> > (It's for an application that will run on arbitrary machines that needs
> > a web browser to make a local connection as part of a sequence of secure
> > connections - supplying a certificate will stop any security warning
> > from the browser telling the user that they are insecure...)
> >
> > Thanks,
> > Andrew
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
