ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

The SSL certificate industry is a messy business

<< < (4/6) > >>

mouser:
damn app is ahead of me once again.

superboyac:
I've always wondered about certificates.  How are they useful?  What additional level of protection do they provide?  For me as an end user, it's been nothing but a nuisance.  But I don't know enough about them to criticize them.

f0dder:
I've always wondered about certificates.  How are they useful?  What additional level of protection do they provide?  For me as an end user, it's been nothing but a nuisance.  But I don't know enough about them to criticize them.-superboyac (November 30, 2010, 11:21 PM)
--- End quote ---
In addition to just enabling SSL/TLS encrypt, a certificate allows a site to verify to a user that it is who it says it is. For a cert to be automatically accepted by your browser, it has to be signed by one of the system-accepted top-level cert authorities (verisign or a bunch of others). A cert includes a fingerprint, and this can be used to detect whether the server has been compromised and had a new cert installed, if there's a man-in-the-middle snooping, etc.

The system is definitely not perfect, since false certificates can be made if just one of the cert authorities are rotten, or slacks on verification procedures - and there's been some cert attacks on certs made with MD5 hashes. But it's hard to do much better, really.

40hz:
+1 with f0dder.

They're better than nothing, but far from being a panacea.

f0dder:
For really secure scenarios, I'd want to store the certificate fingerprint and verify it client-side, so I know nobody has tampered with the server I'm connecting to - but it's a bit impractical doing this for webbrowsing. And if you do that, you need an updating mechanism since certs eventually will need updating.

Bonus effect of doing cert fingerprint validation: you can verify that a certificate is good without depending on a CA, which means self-signed certs become a very real possibility.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version