New SSL certificate being installed - still self-signed

Discussion in 'General Topics' started by LowWaterMark, Apr 2, 2015.

  1. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Our self-signed certificate is about to expire, so, I have made a new one to cover this next year.

    My reason for using my own signing has been explained in the past, and, I'm keeping with that approach for this next year, as well.

    https://www.wilderssecurity.com/posts/2205579/

    New fingerprints for this next year is as follows
    sha-1: D3 D3 C2 27 3A FA CC 9A 3E 80 5E 5A 00 45 FA BC 11 B4 C8 6F
    sha-256: 02 D8 E3 1E 75 96 BD 3F 89 47 6A 38 98 6D 65 CC 58 E7 C0 B2 64 56 97 47 50 A3 DA 4E C4 B3 CF 57

    Image of fingerprints
    self-signed-cert-2015-fingerprints.png
     
  2. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Sorry, from your link I couldn't find the reason and a link in the link seems to be removed. Can you give me direct link for the reason or explanation?
    Basically self-signed cert will be only good for those who can verify fingerprint by themselves?
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Ah, I had forgotten the old FAQ was part of vBulletin and was no longer available here on XenForo. I have just updated the linked post above to include the FAQ explanation and the other reference links. Re-read that post and then let me know if you have additional questions.
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    Thanks for the update. I was wondering why Firefox gave a warning on the certificate yesterday. I have no problem with the fact that the cert is self-signed especially now that CA validation is showing vulnerabilities. It may freakout some users though who don't understand how cert validation works.
     
  5. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Ok, I got it but need more explanation.
    As long as visitor confirm fingerprint, it's okay. But I doubt many ppl confirm it, and in Android I can't confirm fingerprint.
    Although your point of CA issuing cert just by email address is serious problem, still it can prove WHO you accessed to, and encryption w/out verification is meaningless in TLS. It's completely another thing if the server or entity is good or not.
    Those who know TLS well can get some more info by looking cert e.g. if it is just a domain verification or org verification, if they have vuln & malware scan (Verisign/Symantec) etc.
    Moreover, this may have risk of encouraging ppl to ignore warning.
     
  6. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Can you explain what vuln found in CA validation?
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    Well, vulnerability may not be the right word. I'm referring to the issues that have already been discussed on Wilders, such as security applications replacing browser certs, CAs issuing certificates without requiring much proof of identity, etc; all of the issues which call into question the reliability of the chain of validation.
     
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Okay, I just thought you know some news I missed.
    Certificate transparency and CA issuing cert too easily are important matter, but security software or so installing their own cert is another matter. It's not matter in TLS, but matter of the program (and user).
    Also I think Wilders to use self-signed is another matter.

    BTW, if you feel limitation of CA based TLS system, you can test DANE with these tools, tho currently not widely used just same as DNSSEC itself.
     
  9. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Figured as much when I saw my browser complain about it.

    As always, thanks for being a cool guy for allowing us as forum users to use HTTPS. :thumb: A lot of other forums I'm on won't even consider it, sadly.
     
  10. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I waited, and no explanation yet?
    What is the real reason you don't want to apply SSL certificate? Money or trouble? Maybe you know some cert are almost free, so won't be money actually. I'm not convinced your explanation in the link so far.
    Do you really believe self-signed don't have problem? I don't really care but theoretically MITM attacker even can alter your fingerprint listed here. And how can we know you properly manage your private key (tho it's not specific problem of self-signed, what do you do if stolen)? You can say as admin "If you don't trust me, don't use my forum" but I think it's general problem. There're situation that self-signed can be safely used, but this forum doesn't mach the condition, as fingerprint is only listed in the forum and it's public forum is in internet where everyone can see and attend. Also you said many browser can remember SSL exception, it's true in Firefox but if it's IE or Chrome, we have to add your certificate in trusted root CA.
    I want to hear how @BoerenkoolMetWorst, @Minimalist, @itman, and @Victek think about it as only they may be a few active member who seems to have proper understanding or conscious to SSL (sorry if I missed anyone else).

    It seems some forum, like Malwaretips even don't have SSL, so Wilders having SSL is bit better, but not much different actually in terms of security, and can even give false sense of security.
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    I'm flattered to be on your list :) as I'm only a novice in these matters. You mentioned that there are situations where a self-signed certificate can be safely used, but the forum doesn't match the condition. Can you say more about when it's safe and why it isn't in this forum? More generally it seems to me that a public discussion forum has little to offer hackers plus there are many forums that only use HTTP and would be easier to attack, but I guess an attack on wilders is possible (because anything is possible).
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    My reasons are fully explained in the links, so, all I can do to answer you is to repeat what I've already written.

    But, I will add that MITM attacks are just as easy against a site with a CA provided cert as a self-signed one. If a CA grants an open ended cert to some big company or govt agency, which everyone knows has been done, and they then put that between us and this forum, our browsers wouldn't object to that regardless of whether the cert here is self-signed or provided by a CA. It's the trust on the MITM cert that's important at that point, not the target site's certificate.

    As for the other points, you already answered the idea of mismanaging the private key... totally the same issue if we were using a CA signed cert. An admin could mismanage that one just the same way.

    But, about not even having SSL available... is that really preferred? I mean, just because of the possibility that something could go wrong, it would be better to not provide SSL at all? Keep in mind, in the old posts on this, I've explained that the default entry to this forum is normal HTTP, not HTTPS. In fact, when you are browsing this forum with HTTP, there isn't a single link pointing at the forum using HTTPS.

    In any case, I've never actually recommended that normal visitors to the forum use SSL. I've simply made it available for those who'd like to use it. And, I did that mostly for myself, because, of all the users of this forum, it's my sessions, and my passwords that really need protecting. Outsiders can't take over the forum if they get member session data, but, they can if they get mine. So, I always use SSL here.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    I've been mentioned in previous post, although I don't consider myself as expert on SSL so I'll give my 2¢.
    When it comes to question of who is the issuer, I trust LWM and think that private keys are safe and probably more secure than those issued by large CAs. After all we are on security forum and I'm sure Administrators have enough knowledge to secure the keys. IMO it's just a matter of trust.
    When it comes to using HTTPS or HTTP, I support using the first 100%. I would like to see all webpages using HTTPS protocol instead of HTTP. In that regard I hope that this forum will turn into mandatory SSL in few years and that all members and visitors will get protection offered by encryption. If that ever happens, certificate will have to be issued by 3rd party CA.
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I also want to say I don't conside myself an expert, but I'll give my view on it. (Keep in mind this is afaik)
    Not counting visually obvious MitM attacks(forcing to HTTP, using a self-signed cert etc.) the way to MitM a site with a CA signed SSL certificate is to compromise or force one of many CA's or (in some cases) resellers to get a valid certificate of your own and no browser will complain. When you want to MitM a self-signed cert you could do it with a valid certificate just as easy as in the other scenario. You could also try with a self-signed cert, but at least in Firefox it will display the default self-signed cert warning because it is not the same fingerprint as is remembered. Of course this may not be the same with other browsers that don't remember the exception, but I think that if you'll visit Wilders HTTPS regularly, you'll probably add it to the trusted CA's anyway so you don't have to allow it everytime.
    So IMO the security of self-signed and CA signed is the same, for an ALREADY established connection. There is still indeed the problem of first trust, how do you know if an MitM attacker doesn't replace the given fingerprints into his own, tricking you into trusting the MitM certificate? An image is provided to stop automatic replacing of the txt version, but it probably wouldn't be difficult to to this for the image as well. You could also PM LowWaterMark for the fingerprints which would probably at least work with automized attacks. You could also visit Wilders and check the fingerprint through different connections like public WiFi, VPN, Tor etc, which would reveal a MitM attack, unless done on a massive scale. If your attacker is able to pull this off, it would probably also be quite easy for them to get a valid certificate for MitMing anyway.

    Though a CA signed cert can be more secure than self-signed if you also use HSTS and especially HPKP(HTTP Public Key Pinning, don't know all supported browsers but both Firefox and Chrome stable support this), though both these standards also rely on TOFU(Trust on first use).
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  16. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    May use this opportunity to refresh/improve my understanding?

    What prevents a self-signed certificate, of the form used by Wilder's, from being used against someone that has installed it? Lets just assume for a moment that someone is in a position to MITM you *and* they've acquired Wilder's private key. Theoretically, their "ownage" of the root CA installed on your system could allow them to MITM all of your SSL traffic? The client would have to impose restrictions on what the CA certificate is used for? What fields within the Wilder's cert make it clear that it shouldn't be used to sign other certificates?

    I ask in part because I'm generating a basically identical cert for a test server, but on my to do list is researching whether 1) the certificate itself could be improved (Path Length Constraints, Key Usage, ...) and/or whether it would be better to use both a non-CA server cert (private key unencrypted on hosted server) and a CA cert (private key kept private, possibly just thrown away after the previous cert is generated).
     
    Last edited: Apr 11, 2015
  17. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Thank you guys for all your valuable comments. I really appreciate them.
    I'm not expert either, just one of those who're learning security so I asked your opinion. And as generally self-signed has its risk and is not good practice for public website I wanted to know why LWM uses it.
    This is for me the most persuasive point. Sure, if your pwd was stolen, it would be serious matter. And self-signed should work at least for you as you made the cert. I also didn't know and didn't think it is only meant for advanced user, tho I myself have long assumed Wilders don't offer SSL. Thanks for clarifying bit more.
    In that scenario, only big company or gov can MITM (and ofc super skilled hacker who can compromise CA, as BoerenkoolMetWorst explained), but for self-signed EVERYONE can MITM unless a visitor check fingerprint, it's big difference and what I cared is maybe most ppl won't actually check fingerprint. But now I know it is meant only for advanced user, I hope all of them know how to check fingerprint.
    What I want to confirm is, if you find the key was stolen, what do you do? If it was CA approved SSL, you will report the CA and CA will revoke the cert. But what if your key was stolen, and adversary run fake Wilders with fake cert (he also need to poison DNS)?
    I didn't suggest you to remove SSL, I said "so Wilders having SSL is bit better, but not much different actually in terms of security". It's fact, unless we acquire finger print via secure way. As I already noted, I'm not actually caring fingerprint alteration by MITM, but I would be frightened if you simply didn't know there's a risk.
    If you can verify the server by other means (e.g. checking fingerprint by other secure channel), it's safe. Also if you know the service will be used only by known limited members (private service), it's okay.
    FWIW, RFC2246 specify 3 authentication modes including "anonymous key exchange", and in its description (F.1.1.1)
    And from 7.4.2
    It means only when a client required anonymous connection it is allowed. But using self-signed in public server is almost the same as that the server forces anonymous connection when client didn't required, and this is only safe against passive eavesdropping but not safe against active one (MITM).

    Yeah, I understand your point. Even if Yuki2718 was hacked, it's not serious damage for me. Maybe I was too harsh, but I couldn't suppress my feeling that security forum shouldn't encourage insecure practice as I expected common ppl will simply ignore browser warning.

    Well, if private key is secure or not depends server admin, so if it is self-signed or CA's don't make difference, as LWM said. But I bit care about IF key was stolen. As to matter of trust, I can't blindly trust LWM as I didn't know him/her, but again same goes for every other forum.
    Yeah, if all Wilders contents become SSL, then he/she should apply CA's SSL.
    If LWM clarify how he/she will do when key is stolen and if it is reasonable, I agree. Yeah, the largest risk is in initial connection, we know that actual risk is low (what benefit the attacker get by MITM Wilders?), but I cared that it might encourage common ppl to ignore warning which reportedly is actual matter.

    Tho Chrome & Fx adoption of HPKP is very good advance, their list of protected domain is limited to major website. So we still need EMET or sth to protect other sites.

    It's good we can confirm fingerprint other than Wilders itself, but paranoid man will need to confirm it via encrypted email channel with different network or any other secure means as BoerenkoolMetWorst suggested. Actually I'm not that paranoid tho.

    Not all SSL, only SSL toward (fake) Wilders can be intercepted as all other SSL's cert belongs to other rootCA.
    If you just installed Wilders CA, it will have all privilage/usage. So limiting it to server authentication is good idea. If you're running Windows, Open certmgr.msc, select installed Wilders cert, and from advanced tab (or sth like that, sorry I don't know correct English name) choose edit property, and uncheck all unneeded usage.
    Sorry, I don't get what you mean, maybe due to my lack of knowledge. Can you clarify it more, preferably with easy English? But sorry even if you did, I'm not sure if I can help you...
     
  18. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
  19. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    The MITM would be able to strip webserver delivered certs and replace them with ones that it generates, right? In the scenario I'm talking about, the MITM has Wilders private key and the user has installed the Wilders cert. Example:

    You visit https://www.example.com, the MITM replaces existing certs with those it generates on the fly. It generates a cert for www.example.com which is signed by and chains up to the Wilder's CA cert.

    What, *exactly*, would prevent that example from working? By that I mean: precisely what in the Wilders certificate instructs the client to disallow that type of usage?

    When validating a server's certificate, the Subject CN gets compared to the hostname. So in the above example, the cert for www.example.com would have to have a Subject CN of www.example.com or *.example.com. However, when a CA certificate is evaluated, the Subject CN isn't used for such checks. Is this correct?

    Can the options used to generate the certificate be changed so that the certificate, itself, imposes tighter restrictions?

    These are the things I'm trying to understand. Not only so I understand implications here, but also because I want to correctly generate certs for my own server.
     
  20. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    I'm no expert. Only within the last few years have I actually started understanding more about HTTPS (The EFF helped a lot with that) and I've mainly learned a good amount from https://www.ssllabs.com/ scan results of bad configs.

    It simply comes down to a matter of trust. The model of HTTPS certificates in my opinion, was built upon commercial internet services, like shopping sites, banking, etc, to protect against mainly monetary loss (someone stealing your credit card numbers). Till Snowden/NSA so very few sites considered its privacy and security values, cause ignorance. "Who's going to target little old paranoid you?". Welp, base your security on assumptions, heh, what could go wrong? Preaching to the choir though.

    But my thoughts on self signed HTTPS certs are this: most sites do not do it because their site's traffic consists of mostly HTTPS unsavvy, everyday people. So if those see the big scary browser warning about the self-signed HTTPS cert, they probably won't have a clue what to do. Most on the internet don't care how it works, or why (and even I am far no expert), but they want it to work without warning alert messages. If you look that aside, the site admin has all the control over his server anyway. So your data is in his hands anyway. So honestly, if not a shopping/banking site, and if you depend on your users to understand what a self-signed HTTPS is, then I would say it is more secure or at least the best that's possible. It's a great way to do it. I wish more did it. There's no middleman.

    So yeah, just majority of internet users being turned off by the "scary" self-signed HTTPS warning, and the fact HTTPS always seemed (to me at least) to be focused on shopping/banking protections.
     
    Last edited: Apr 11, 2015
Loading...