Tilted Forum Project Discussion Community - View Single Post - SSL Cert 128bit

Pragma · 04-22-2005, 11:00 AM

Self-signed certificates (what you're discussing) open a particular hole in trusted communications: Man in the Middle Attacks. If you're doing any kind of business communications (or anything with sensitive data), you're really better off with a trusted third party-signed certificate (such as Verisign or Thawte). The point of the trusted third party is so that an attacker cannot position themselves between you and the computer you're talking to and eavesdrop/alter all communications.

Self-signed certificates allow an attacker to generate a certificate signed "by the same authority" as yours and just tell (the curious attackee) "Oh, we had to generate a new certificate, but it's still me. I promise."

As to trache, the digital certificate isn't saying "I am Joe Bob Smith", it's saying "Everything signed this this certificate is coming from the same person."

04-22-2005, 11:00 AM	#7 (permalink)
Pragma I am Winter Born Location: Alexandria, VA	Self-signed certificates (what you're discussing) open a particular hole in trusted communications: Man in the Middle Attacks. If you're doing any kind of business communications (or anything with sensitive data), you're really better off with a trusted third party-signed certificate (such as Verisign or Thawte). The point of the trusted third party is so that an attacker cannot position themselves between you and the computer you're talking to and eavesdrop/alter all communications. Self-signed certificates allow an attacker to generate a certificate signed "by the same authority" as yours and just tell (the curious attackee) "Oh, we had to generate a new certificate, but it's still me. I promise." As to trache, the digital certificate isn't saying "I am Joe Bob Smith", it's saying "Everything signed this this certificate is coming from the same person."