> -----Original Message----- > From: Martin Gainty [mailto:mgai...@hotmail.com] > Sent: Tuesday, March 19, 2013 7:35 AM > To: Tomcat Users List > Subject: RE: SSL Best Practices > > > 1)Have you ever tried to coerce IE to accept a self-signed cert 2)if > you purchase a pfx with a self-signed certificate sold to you by > chris_is_a_hacker.com for 1.00 then who do you think can break it
I use self-signed certificates from my own CA for testing. > > The cert allows browser to contact the sites SSL connector..by > presenting credentials usually from a Name Server such as ADS or LDAP > Most certificates are not backed by a name server. The existence of the certificate is deemed sufficient to provide proof of identity (if issued by a trusted 3rd party, such as Verisign). > the real work involves breaking the algorithm implemented by the key > > in order to establish Key exchange on a SSLv2 transport > The SSLv2 transport is sufficiently broken (or weak) that most SSL reliant applications disable it (or recommend in sufficiently strong terms that users disable it). > I sincerely doubt even chris_is_a-hacker can break any of the RSA > algorithms implemented by the key inside a versign.pfx If I am chris_is_a-hacker, I do not need to break anything, because by providing a PFX file (rather than by submitting a certificate request and having a certificate issued directly to me), I have a copy of the private key, and I can impersonate the user or website at will, depending on the kind of certificate(s) included in the pfx file. And as for breaking the key algorithm, I do not have to do that all (even if I did the right steps in having a certificate properly issued). There are a number of weaknesses in the SSL protocol itself that I can attack any of those to inject a man-in-the-middle attack. (In any case, I believe we have moved significantly off topic in this discussion.) This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
