Main Area and Open Discussion > Living Room
The SSL certificate industry is a messy business
mouser:
damn app is ahead of me once again.
superboyac:
I've always wondered about certificates. How are they useful? What additional level of protection do they provide? For me as an end user, it's been nothing but a nuisance. But I don't know enough about them to criticize them.
f0dder:
I've always wondered about certificates. How are they useful? What additional level of protection do they provide? For me as an end user, it's been nothing but a nuisance. But I don't know enough about them to criticize them.-superboyac (November 30, 2010, 11:21 PM)
--- End quote ---
In addition to just enabling SSL/TLS encrypt, a certificate allows a site to verify to a user that it is who it says it is. For a cert to be automatically accepted by your browser, it has to be signed by one of the system-accepted top-level cert authorities (verisign or a bunch of others). A cert includes a fingerprint, and this can be used to detect whether the server has been compromised and had a new cert installed, if there's a man-in-the-middle snooping, etc.
The system is definitely not perfect, since false certificates can be made if just one of the cert authorities are rotten, or slacks on verification procedures - and there's been some cert attacks on certs made with MD5 hashes. But it's hard to do much better, really.
40hz:
+1 with f0dder.
They're better than nothing, but far from being a panacea.
f0dder:
For really secure scenarios, I'd want to store the certificate fingerprint and verify it client-side, so I know nobody has tampered with the server I'm connecting to - but it's a bit impractical doing this for webbrowsing. And if you do that, you need an updating mechanism since certs eventually will need updating.
Bonus effect of doing cert fingerprint validation: you can verify that a certificate is good without depending on a CA, which means self-signed certs become a very real possibility.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version