Installing Certificates . Why?? help please

Discussion in 'Computer Security' started by Galadrial, Aug 26, 2007.

  1. Galadrial

    Galadrial Guest

    I know little about security certificates but am following advice to check
    the details when using an HTTPS site. Can anyone tell me what the Install
    Certificate option is when I check, for instance GRC's certificate?

    Thanks for your time
     
    Galadrial, Aug 26, 2007
    #1
    1. Advertising

  2. Galadrial

    Sebastian G. Guest

    Galadrial wrote:

    > I know little about security certificates but am following advice to check
    > the details when using an HTTPS site. Can anyone tell me what the Install
    > Certificate option is when I check,



    It locally stores the certificate for later comparison when it's a root cert.

    > for instance GRC's certificate?



    Then for nothing. You visited a charlatan's website and you want to add his
    self-signed root cert to your cert store? Utterly foolish.
     
    Sebastian G., Aug 26, 2007
    #2
    1. Advertising

  3. Galadrial

    Jim Watt Guest

    On Sun, 26 Aug 2007 12:09:23 GMT, "Galadrial"
    <> wrote:

    >I know little about security certificates but am following advice to check
    >the details when using an HTTPS site. Can anyone tell me what the Install
    >Certificate option is when I check, for instance GRC's certificate?
    >
    >Thanks for your time


    I think Certificates on a web server have three uses

    1. To show that the site is genuine
    2. To encrypt the session
    3. To generate an income for the certificate authority (CA)

    Because the CA takes reasonable care not to issue, for
    example a certificate saying 'Microsoft' to joe hacker
    then it establishes trust that you really are dealing
    with say, Microsoft.

    If you can trust that the site you are using really
    is genuine, and it happens to be someone who has generated
    his own certificate, because they know how and wish to
    avoid paying a CA, then its OK to add it to your browser.

    The CA root certificates get added automatically by the
    browser authors, but obviously they do not cater for people
    who 'roll their own' so there is the provision to add them
    yourself, under caution.

    For a serious e-commerce website, its a false economy to
    do this, although I do know a large bank who use the wrong
    certificate on their electronic banking site. For a small
    e-commerce site, like GRC's its reasonable.

    You either trust him or you don't. I use spinrite and
    its saved my arse, and he did pick up on the 'real downloader'
    spyware issue rather well when I mentioned it to him, so I
    think he is OK, Sebastian seems to be of the other view.

    Not that it matters much.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Aug 27, 2007
    #3
  4. Galadrial

    Galadrial Guest

    Thanks Jim, getting clearer. To summarise, if the certificate is issued by
    the website themselves then be very sure before installing. Just not clear
    what, if anything, I am missing out on by not installing - whether a self
    certificate I decide to trust or one issued by a known and trusted authority
    (Versign in GRC's case)? I have not problem with GRC's site, the
    certificate looks fine and I'm not getting any warnings.

    "Jim Watt" <_way> wrote in message
    news:...
    > On Sun, 26 Aug 2007 12:09:23 GMT, "Galadrial"
    > <> wrote:
    >
    >>I know little about security certificates but am following advice to check
    >>the details when using an HTTPS site. Can anyone tell me what the Install
    >>Certificate option is when I check, for instance GRC's certificate?
    >>
    >>Thanks for your time

    >
    > I think Certificates on a web server have three uses
    >
    > 1. To show that the site is genuine
    > 2. To encrypt the session
    > 3. To generate an income for the certificate authority (CA)
    >
    > Because the CA takes reasonable care not to issue, for
    > example a certificate saying 'Microsoft' to joe hacker
    > then it establishes trust that you really are dealing
    > with say, Microsoft.
    >
    > If you can trust that the site you are using really
    > is genuine, and it happens to be someone who has generated
    > his own certificate, because they know how and wish to
    > avoid paying a CA, then its OK to add it to your browser.
    >
    > The CA root certificates get added automatically by the
    > browser authors, but obviously they do not cater for people
    > who 'roll their own' so there is the provision to add them
    > yourself, under caution.
    >
    > For a serious e-commerce website, its a false economy to
    > do this, although I do know a large bank who use the wrong
    > certificate on their electronic banking site. For a small
    > e-commerce site, like GRC's its reasonable.
    >
    > You either trust him or you don't. I use spinrite and
    > its saved my arse, and he did pick up on the 'real downloader'
    > spyware issue rather well when I mentioned it to him, so I
    > think he is OK, Sebastian seems to be of the other view.
    >
    > Not that it matters much.
    > --
    > Jim Watt
    > http://www.gibnet.com
     
    Galadrial, Aug 27, 2007
    #4
  5. Galadrial

    nemo_outis Guest

    Jim Watt <_way> wrote in
    news::

    ....
    > Because the CA takes reasonable care not to issue, for
    > example a certificate saying 'Microsoft' to joe hacker
    > then it establishes trust that you really are dealing
    > with say, Microsoft.

    ....

    Funny you should pick Microsoft as your example regarding this point. In
    January 2001, VeriSign **erroneously issued** two Class 3 code-signing
    certificates to someone falsely claiming to represent Microsoft. It was 6
    weeks before anyone noticed!

    Regards,
     
    nemo_outis, Aug 27, 2007
    #5
  6. Galadrial

    Jim Watt Guest

    On 27 Aug 2007 13:07:51 GMT, "nemo_outis" <> wrote:

    >Jim Watt <_way> wrote in
    >news::
    >
    >...
    >> Because the CA takes reasonable care not to issue, for
    >> example a certificate saying 'Microsoft' to joe hacker
    >> then it establishes trust that you really are dealing
    >> with say, Microsoft.

    >...
    >
    >Funny you should pick Microsoft as your example regarding this point. In
    >January 2001, VeriSign **erroneously issued** two Class 3 code-signing
    >certificates to someone falsely claiming to represent Microsoft. It was 6
    >weeks before anyone noticed!


    Well spotted:)
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Aug 27, 2007
    #6
  7. Galadrial

    Ari Guest

    On Mon, 27 Aug 2007 10:48:35 +0200, Jim Watt wrote:

    > On Sun, 26 Aug 2007 12:09:23 GMT, "Galadrial"
    > <> wrote:
    >
    >>I know little about security certificates but am following advice to check
    >>the details when using an HTTPS site. Can anyone tell me what the Install
    >>Certificate option is when I check, for instance GRC's certificate?
    >>
    >>Thanks for your time

    >
    > I think Certificates on a web server have three uses
    >
    > 1. To show that the site is genuine
    > 2. To encrypt the session
    > 3. To generate an income for the certificate authority (CA)
    >
    > Because the CA takes reasonable care not to issue, for
    > example a certificate saying 'Microsoft' to joe hacker
    > then it establishes trust that you really are dealing
    > with say, Microsoft.
    >
    > If you can trust that the site you are using really
    > is genuine, and it happens to be someone who has generated
    > his own certificate, because they know how and wish to
    > avoid paying a CA, then its OK to add it to your browser.
    >
    > The CA root certificates get added automatically by the
    > browser authors, but obviously they do not cater for people
    > who 'roll their own' so there is the provision to add them
    > yourself, under caution.
    >
    > For a serious e-commerce website, its a false economy to
    > do this, although I do know a large bank who use the wrong
    > certificate on their electronic banking site. For a small
    > e-commerce site, like GRC's its reasonable.
    >
    > You either trust him or you don't. I use spinrite and
    > its saved my arse, and he did pick up on the 'real downloader'
    > spyware issue rather well when I mentioned it to him, so I
    > think he is OK, Sebastian seems to be of the other view.
    >
    > Not that it matters much.


    Complicating the CA issue is Comodo's free issuance of CAs.
    --
    "You can't trust code that you did not totally create yourself"
    Ken Thompson "Reflections on Trusting Trust"
    http://www.acm.org/classics/sep95/
     
    Ari, Sep 2, 2007
    #7
  8. Galadrial

    Jim Watt Guest

    On Sun, 2 Sep 2007 18:08:51 -0400, Ari <>
    wrote:

    >On Mon, 27 Aug 2007 10:48:35 +0200, Jim Watt wrote:
    >
    >> On Sun, 26 Aug 2007 12:09:23 GMT, "Galadrial"
    >> <> wrote:
    >>
    >>>I know little about security certificates but am following advice to check
    >>>the details when using an HTTPS site. Can anyone tell me what the Install
    >>>Certificate option is when I check, for instance GRC's certificate?
    >>>
    >>>Thanks for your time

    >>
    >> I think Certificates on a web server have three uses
    >>
    >> 1. To show that the site is genuine
    >> 2. To encrypt the session
    >> 3. To generate an income for the certificate authority (CA)
    >>
    >> Because the CA takes reasonable care not to issue, for
    >> example a certificate saying 'Microsoft' to joe hacker
    >> then it establishes trust that you really are dealing
    >> with say, Microsoft.
    >>
    >> If you can trust that the site you are using really
    >> is genuine, and it happens to be someone who has generated
    >> his own certificate, because they know how and wish to
    >> avoid paying a CA, then its OK to add it to your browser.
    >>
    >> The CA root certificates get added automatically by the
    >> browser authors, but obviously they do not cater for people
    >> who 'roll their own' so there is the provision to add them
    >> yourself, under caution.
    >>
    >> For a serious e-commerce website, its a false economy to
    >> do this, although I do know a large bank who use the wrong
    >> certificate on their electronic banking site. For a small
    >> e-commerce site, like GRC's its reasonable.


    >Complicating the CA issue is Comodo's free issuance of CAs.


    Not really because their offer is not really free its
    rather like shareware

    "Free SSL Certificates provide full Secure Sockets Layer functionality
    for 90 days"

    So after 90 days you have to pay them like any other CA

    Anyone can issue a certificate, what you pay for is the trust
    element, and that the CA is included by default in everyones
    web browser.

    For a commercial website, basically you need to buy a certificate
    and its part of the cost of operation.

    For some circumstances any certificate, including one you generate
    yourself will do.

    Who can be a CA is also covered by an EU directive which is
    implemented in the laws of the jurisdiction where it does
    business. Non EU countries may have their own restrictions
    and laws.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 3, 2007
    #8
  9. Galadrial

    Ari Guest

    On Mon, 03 Sep 2007 11:51:15 +0200, Jim Watt wrote:

    >>> For a serious e-commerce website, its a false economy to
    >>> do this, although I do know a large bank who use the wrong
    >>> certificate on their electronic banking site. For a small
    >>> e-commerce site, like GRC's its reasonable.

    >
    >>Complicating the CA issue is Comodo's free issuance of CAs.

    >
    > Not really because their offer is not really free its
    > rather like shareware


    <http://www.comodo.com/products/certificate_services/email_certificate.html>
    --
    "You can't trust code that you did not totally create yourself"
    Ken Thompson "Reflections on Trusting Trust"
    http://www.acm.org/classics/sep95/
     
    Ari, Sep 4, 2007
    #9
  10. Galadrial

    Jim Watt Guest

    On Mon, 3 Sep 2007 22:49:22 -0400, Ari <>
    wrote:

    >On Mon, 03 Sep 2007 11:51:15 +0200, Jim Watt wrote:
    >
    >>>> For a serious e-commerce website, its a false economy to
    >>>> do this, although I do know a large bank who use the wrong
    >>>> certificate on their electronic banking site. For a small
    >>>> e-commerce site, like GRC's its reasonable.

    >>
    >>>Complicating the CA issue is Comodo's free issuance of CAs.

    >>
    >> Not really because their offer is not really free its
    >> rather like shareware

    >
    ><http://www.comodo.com/products/certificate_services/email_certificate.html>


    OK but their offer of certificates for a secure server is
    90 days free trial then pay. Not saying its unfair because
    we all need to make a living but free its not.

    Verisign used to give away free certificates for email too.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 4, 2007
    #10
  11. Galadrial

    Galadrial Guest

    Pleased to see my original question provoked some discussion but I'm none
    the wiser ..

    .... if I go to a bank website, see Https, check out the certificate and have
    the option to "Install Certificate", should I ? what do I gain or lose by
    doing so or not?
     
    Galadrial, Sep 4, 2007
    #11
  12. Galadrial

    Jim Watt Guest

    On Tue, 04 Sep 2007 17:25:29 GMT, "Galadrial"
    <> wrote:

    >Pleased to see my original question provoked some discussion but I'm none
    >the wiser ..
    >
    >... if I go to a bank website, see Https, check out the certificate and have
    >the option to "Install Certificate", should I ? what do I gain or lose by
    >doing so or not?


    Perhaps you did not understand the answer;

    However you should NOT install a certificate for a
    bank !!! nor should you be required to do so.

    In the context of this newsgroup GRC is taken to mean
    Gibson Research www.grc.com some think he is a god
    amongst computer men and others are atheists. I find
    some of his stuff useful and good value for money.

    Now the owner of that (an myself) are quite capable of
    generating our own SSL certificates which would not be
    automatically recognised by your browser.

    If you chose to install a 'home made' certificate you are
    telling your computer that YOU trust that it is genuine.

    With a paid certificate issued by a Certificate Authority
    (CA), say Verisign you do not have to tell your machine to
    trust them because it relies on them not to issue certificates
    to crooks or the wrong people. That why they charge for them.

    Obviously the database of trusted root certificates changes
    from time to time, and I note one of the updates from MS
    recently was for that, so if you don't use automatic updates
    visit

    http://update.microsoft.com

    and update your software, assuming you use Microsoft, if you
    have a mac, sacrifice a goat or whatever such people do and
    if you are clever enough to use Linux you should be answering
    questions not asking them.

    But basically certificates provide two functions, encrypting
    data passed between two machines which ensures its integrity
    and prevents its interception and secondly establishing trust
    in the identity of whoever you are exchanging data with.

    If you have continued problems with your banks certificate
    contact them. It might indicate the site is not really theirs
    or they have screwed up.

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 5, 2007
    #12
  13. In article <>,
    Jim Watt <_way> wrote:
    ...
    >If you chose to install a 'home made' certificate you are
    >telling your computer that YOU trust that it is genuine.

    ...
    >With a paid certificate issued by a Certificate Authority
    >(CA), say Verisign you do not have to tell your machine to
    >trust them because it relies on them not to issue certificates
    >to crooks or the wrong people. That why they charge for them.

    ...

    No, they charge for them to make a profit. They have shown by their
    behavior that they will happily assign certificates to unauthorized
    people.

    ...
    >But basically certificates provide two functions, encrypting
    >data passed between two machines which ensures its integrity
    >and prevents its interception and secondly establishing trust
    >in the identity of whoever you are exchanging data with.


    No, certficates only provide one function: protecting data while in
    transit.

    While they have the theoretical ability to do the second, in practice,
    they don't. So, don't trust a certificate unless _you_ - and not a
    third party - have followed the trust chain yourself.

    Craig
     
    Craig A. Finseth, Sep 5, 2007
    #13
  14. Galadrial

    Jim Watt Guest

    On Wed, 05 Sep 2007 12:47:05 -0000, Craig A. Finseth
    <> wrote:

    >No, they charge for them to make a profit.


    surely not? That would make them capitalist
    running dogs.

    "The new social system has only just been
    established and requires time for its
    consolidation"

    chairman Mao, the little red book P 27

    Further reading

    http://en.wikipedia.org/wiki/Certificate_authority
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 5, 2007
    #14
  15. Galadrial

    Ari Guest

    On Wed, 05 Sep 2007 12:47:05 -0000, Craig A. Finseth wrote:

    >>But basically certificates provide two functions, encrypting
    >>data passed between two machines which ensures its integrity
    >>and prevents its interception and secondly establishing trust
    >>in the identity of whoever you are exchanging data with.

    >
    > No, certficates only provide one function: protecting data while in
    > transit.
    >
    > While they have the theoretical ability to do the second, in practice,
    > they don't. So, don't trust a certificate unless _you_ - and not a
    > third party - have followed the trust chain yourself.
    >
    > Craig


    "You can't trust code that you did not totally create yourself"
    Ken Thompson "Reflections on Trusting Trust"
    http://www.acm.org/classics/sep95/
     
    Ari, Sep 20, 2007
    #15
  16. Galadrial

    nemo_outis Guest

    Ari <> wrote in news:1l87al1ipfczl
    $:

    ....
    >> While they have the theoretical ability to do the second, in practice,
    >> they don't. So, don't trust a certificate unless _you_ - and not a
    >> third party - have followed the trust chain yourself.



    I have often wondered why hackers (using trojans, etc.) or even, say,
    coworkers in an office, don't install a bogus certificate (or better, a
    bogus certificate authority) into other folks' browsers.

    Regards,
     
    nemo_outis, Sep 20, 2007
    #16
  17. Galadrial

    Sebastian G. Guest

    nemo_outis wrote:

    > Ari <> wrote in news:1l87al1ipfczl
    > $:
    >
    > ...
    >>> While they have the theoretical ability to do the second, in practice,
    >>> they don't. So, don't trust a certificate unless _you_ - and not a
    >>> third party - have followed the trust chain yourself.

    >
    >
    > I have often wondered why hackers (using trojans, etc.) or even, say,
    > coworkers in an office, don't install a bogus certificate (or better, a
    > bogus certificate authority) into other folks' browsers.



    Because this would leave traces? However, they do exactly this thing in
    memory. Just create an invalid signature, but change the program's code to
    make the verification pass.
     
    Sebastian G., Sep 20, 2007
    #17
  18. Galadrial

    nemo_outis Guest

    "Sebastian G." <> wrote in
    news::

    >> I have often wondered why hackers (using trojans, etc.) or even, say,
    >> coworkers in an office, don't install a bogus certificate (or better,
    >> a bogus certificate authority) into other folks' browsers.

    >
    >
    > Because this would leave traces? However, they do exactly this thing
    > in memory. Just create an invalid signature, but change the program's
    > code to make the verification pass.



    Sebastian, you have a positive gift for making something simple into
    something difficult and complicated.

    Installing a bogus certificate (or certificate authority) into a browser
    is quick and simple - your grandmother could do it. No programming
    knowledge, no hacking and reverse engineering expertise, no tedious
    recoding required. Nor is making the certificate beforehand much bother
    - any number of canned programs will do it.

    As for traces, 99.9% of folks have no idea of what certificates or
    authorities should be in their browsers (and, of course, a recoded
    browser also leaves traces). Most haven't a clue about certificates at
    all. But even if, by some fluke, someone did, so what if he finds a
    bogus cerificate authority? That would tell him only what he already
    would know by that time - that he'd been scammed.

    Regards,
     
    nemo_outis, Sep 20, 2007
    #18
  19. Galadrial

    Sebastian G. Guest

    nemo_outis wrote:


    > Sebastian, you have a positive gift for making something simple into
    > something difficult and complicated.
    >
    > Installing a bogus certificate (or certificate authority) into a browser
    > is quick and simple - your grandmother could do it.



    And leaves traces. Which is bad.

    > As for traces, 99.9% of folks have no idea of what certificates or
    > authorities should be in their browsers



    But a forensic expert at the police does.

    > (and, of course, a recoded browser also leaves traces).



    Not if you do it solely in memory.

    > But even if, by some fluke, someone did, so what if he finds a
    > bogus cerificate authority? That would tell him only what he already
    > would know by that time - that he'd been scammed.


    Depends on whether you want a long-term compromise. Phishing is only one
    possible way of exploitation.
     
    Sebastian G., Sep 21, 2007
    #19
  20. Galadrial

    nemo_outis Guest

    "Sebastian G." <> wrote in
    news::

    > Not if you do it solely in memory.



    And not if you solely use genetically-altered trained baboons with head-
    mounted lasers :)

    Why do you have this penchant for grossly overengineering everything,
    Sebastian?

    Regards,
     
    nemo_outis, Sep 21, 2007
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Vartkes
    Replies:
    2
    Views:
    613
    Vartkes
    Jan 2, 2005
  2. Lord Amoeba

    Self-issued certificates and commercial certificates.

    Lord Amoeba, Apr 30, 2004, in forum: Computer Security
    Replies:
    2
    Views:
    1,038
    David W.E. Roberts
    May 5, 2004
  3. Replies:
    2
    Views:
    579
  4. Replies:
    4
    Views:
    392
  5. Jonathan Wood

    Why is there no date on Microsoft certificates?

    Jonathan Wood, Jan 22, 2008, in forum: Microsoft Certification
    Replies:
    7
    Views:
    498
    Montreal MCT
    Jan 24, 2008
Loading...

Share This Page