Networking

Are self-signed certificates safer?

The conventional wisdom is that a Certifying Authority is necessary for a safe, encrypted connection to a Web site. The conventional wisdom might be wrong.

The conventional wisdom is that a Certifying Authority is necessary for a safe, encrypted connection to a Web site. The conventional wisdom might be wrong.


IT Security readers have already confronted the issue of whether the TLS/SSL Certifying Authority system is a scam. In theory, there is nothing to say that a CA, or Certifying Authority (or Certificate Authority, depending on who you ask) signing a given certificate really proves anything about the security of the connection. While certain types of phishing sites may be very unlikely to buy signed certificates, in the vast majority of cases a CA provides no practical guarantees of safety.

With the advent of the Perspectives approach to certificate authentication, even the "protection" CAs supposedly provide against phishing sites is, in principle, obsolete. Thanks to broadly cross-platform compatibility, the Perspectives extension provides a strong argument that Firefox is the most secure browser for TLS/SSL encryption.

The fact of the matter is that relying on a Certifying Authority to tell you when a PKI certificate is "legitimate" just adds an additional entity to the chain of entities you must trust when establishing a secure connection to a Website. With a system such as OpenPGP's public key cryptography protocol, the only entity you really have to trust is the entity with whom you are trying to communicate. Using traditional PKI, as in the case of SSL/TLS, a third entity in the form of the CA is added to the mix.

Things only get worse for the picture of the CA system from there. Wired reports that security researcher Chris Soghoian discovered an "Internet spying box" being sold to federal agencies by Packet Forensics. This device provides a "drop-in solution" for MITM attacks on TLS/SSL encrypted communications, allowing the feds to (for instance) eavesdrop on your communications with your bank on a supposedly secure connection.

This may just seem like a problem with TLS itself -- a vulnerability in the protocol or the encryption technology -- at first glance, something that can be fixed. Unfortunately, the situation is much more dire than that, at least as far as the CAs' desire to engender trust in the public is concerned. To quote the Wired article:

The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

In short, a device now on the market that can be used to eavesdrop on supposedly secure online transactions implicitly relies on the complicity of supposedly trusted Certifying Authorities. Anyone with an even passing familiarity with the way markets tend to work in the real world should start wondering how many CAs are already offering such "forged" certificates to government agencies, to make this device marketable in the first place. As a side note, one might also wonder whether "forged" is the correct term, when the "mint" that produces the legitimate certificates is also producing the "forgeries."

University of Pennsylvania computer security professor, and encryption expert, Matt Blaze suggests that governments may not be the only entities making use of the underlying vulnerability in the PKI model of certificate authentication:

If the company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this.

Regardless of your feelings about governments spying on their own citizens without "probable cause", this development is an excellent demonstration of the problem of relying on a self-appointed "authority" as a validator of secure communications, holding the keys for your encrypted Internet connections. By contrast, a self-signed certificate -- treated by most browsers as somehow intrinsically less secure than CA-signed certificates -- requires no reliance on any additional parties' trustworthiness. With Perspectives offering an alternative means of out-of-band verification that the certificate offered by the site is the certificate you should expect, there does not seem to be any reasonable argument left against using a self-signed certificate. Why place your trust in any more people than you absolutely must when trying to maintain your privacy?

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

12 comments
Caractacus Potts
Caractacus Potts

There are a number of things that bother me about this article, primarily 1) a little knowledge is a dangerous thing and 2) beware of marketing hype. I'll expand below on point 1) below as point 2) speaks for itself: 1) a little knowledge is a dangerous thing: a) PKI is an infrastructure, the clue is in the I in PKI; b) The only CA that is self-signed in a PKI hierarhcy is a Root CA, the top of the tree; c) Public Key cryptogtraphy enables Cofidentiality and Identification in the use of X.509 Public Key digital certificates (you can also get Integrity indirectly by signing hashes); d) TLS/SSL is not related to Public Key cryptogtraphy (asymmetric crypto) as the algorithms used in TLS/SSL are symetric algorithms. It's a nuisance that sellers of X.509 Public Key digital certificates (e.g., VeriSign) have referred to (Web) Server Identification Certificates as SSL or TLS certifcates - the certs are principally providing an ID for the server and the key in the public key cert may be used during the server/client handshake to enable the setting up of a TLS/SSL link; e) TLS/SSL links can be made 1 to 1 or via an intermediary. The intermediary route is nothing new and can be quite common as content checkers/AV Scanners are useless with encrytped stuff as the checker only sees gibberish. It is quite common to have a split TLS and SSL connection so that folks can sniff the traffic for dirty code in between comms; f) Established CA companies (e.g. VeriSign, ok there are negatives to VeriSign but commercially they are King of the Hill) have robust registration schemes for certs issued to commercial entities, hence that's why most banks and retail outlets use them. I am not saying the system is perfect but it's fairly robust. There are always weaknesses in places. My view is that the weknesses tend to be more client side rather server side but a few good tips are check the cert when you have a secure session open and look for any discrepencies (name of company, domain listed in cert and actual domain in we page) and always check expiry dates. Also, you should think twice about clicking on a link that takes you to an HTTPS logon screen (e.g., email alleging to come from PayPal) - always take the long way round to the logon screen via the official website. I worked in PKI and crypto both inside and outside Government for several years. The problem genereally always boils down to either a little knowledge is a dangerous thing or inadequate implementation. CP

paul.gallant.iit
paul.gallant.iit

This box must be using SSLStrip hacking tool. It's the SSL trust chain that is weak when using a certificate signed by a public Certification Authority. That's why I always prefer using a privately signed Root CA whenever it's feasible. I like using TinyCA with OpenSSL (latest version with Microsoft's support). Tip: remember that the maximum key length on Microsoft windows systems is 2048 bits...

link470
link470

I typically buy from a CA such as GoDaddy or Verisign for websites that have a secure section to them or that will be accessed by visitors or users of the website. I find that the only reason I'm really buying them, is to get rid of the splash page that comes up on many browsers that scares the users off and prevents them from proceeding to the website. IE you can click a link that takes you to the site, and Firefox makes you add the site to an Exception List after clicking a couple links. Only then does the user get access to the site. Originally, I had a self assigned certificate on one of these sites, and I received calls from numerous users not knowing how to proceed and people saying "but my browser says the site is unsafe!!!!1!1!111oneoneone". The administration where I was working told me to have that unsafe page gone, and my only way to do that was to purchase a certificate from a CA. I would normally always use self assigned certificates. The only real benefit I see from the certificates you obtain from Verisign etc. is that you don't get that interception page about the connection not being trusted. I tend to use self assigned certificates whenever possible on internal sites like email for my companies or companies whos email I manage for small businesses where I know everyone there is knowledgable enough to just proceed and know what to do when they get to that unverified page.

rsbrux
rsbrux

"As a side note, one might also wonder whether ?forged? is the correct term, when the ?mint? that produces the legitimate certificates is also producing the ?forgeries.?" Sounds like the virtual equivalent of Chinese factories which turn out trademarked goods for a contracting partner by day and forgeries of the same goods by night.

LedLincoln
LedLincoln

It would probably take only one skilled infiltrator to a CA to crank out any certificates his agency requests, and the CA organization would be none the wiser. Said infiltrator could be working for your government, a foreign government, or just a group of bad guys. :-P

robinsys
robinsys

Now wait a minute, let me get this straight. You're suggesting that having someone - anyone - vouch for the validity of the site I'm connecting with is useless, I should just accept the site's own assertion that it is valid. So a crook who says "I'm not a crook" is equivalent to some independent party asserting that he is not a crook, right? I realize that the proliferation of CAs is an issue, as is the question of the reliability of the CAs, but it seems to me that that issue should be addressed rather than just discarding the whole CA idea.

lastchip
lastchip

Personally, I wouldn't hesitate to accept a self created certificate, providing I knew for sure, the site I was visiting was genuine. And there lays the rub! Phishing has now become so sophisticated, that it's difficult for even experienced computer users to determine if a site is fake. Take a look at this from Cambridge University and Dr. Richard Clayton: http://fosdem.org/2010/schedule/events/eviloninternet Frightening!

robindor
robindor

One should also be aware that some sites do not handle certificates in a way that works well with Perspectives. An example is the set of CitiGroup on-line credit cards. Perspectives never sees a certificate from these sites consistently. Perspectives does check the authenticity of these sites, but this result only appears as a green-tinted background in the Firefox address window. Perhaps this attribute could be forged?

Jeff Dickey
Jeff Dickey

Why limit your market unnecessarily?

wizard_of_oz
wizard_of_oz

Isn't the *point* of a CA to vouch for the identity of the other side? If a CA isn't doing its job, time for a new CA. A self-signed certificate is trivial to forge. The technique has been known for years and can be found in numerous places around the net and even in print. Using a (flawed) CA is better than self-signed, because an attacker will need to subvert the CA or use malware to make the client trust a malicious CA. So, if you really want to secure your users, you need to create an organizational CA, and use that CA to sign your organization's certificates. Furthermore, manually distribute your organization's CA signature when you distribute PGP/SSH keys and have your users add your CA to their browsers. While you're at it, remove any suspect CA signatures that they've loaded. That at least will keep your (internal) users from being MitM'ed on the way to your intranet.

lastchip
lastchip

But the whole point of the article, is that CA's produced by commercial operators cannot necessarily be trusted. In fact, they could produce a false sense of security in the wrong circumstances. Would you rather have a certificate you produced and know to be safe or one that may have been compromised? The point I made was it's far harder and arguably far more important to know you are dealing with a genuine site, rather than the certificate itself and if you think that's easy, take a look at the link I provided!

mafergus
mafergus

It seems there are two customers, and for me using a self signed cert for internal(company) users is legit, but it is risky to apply self signed certs to public facing entities such as web sites.

Editor's Picks