[AktiviX-discuss] Why is the security certificate bad?

Paul M tallpaul at ml1.net
Mon Dec 3 17:15:36 UTC 2007 

On Mon, 2007-12-03 at 05:49 +0000, andy baxter wrote:
> I have sent the following explanation to the people I was inviting to 
> join the list. If you get the time, could you check it through and let 
> me know whether it looks like reasonable advice (I am not 100% sure 
> about some of the details, like the kind of attacks that certificates 
> are meant to prevent.)

The advice is good, I have written comments/corrections on the other
stuff inline.

> thanks,
> 
> andy.
> 
> ------------------- forwarded message ---------------------
> 
> I'm just sending this because I've had an email from someone saying they 
> had a problem subscribing to the list. The problem is that when you 
> access the website you subscribe through, the browser warns you that the 
> site's security certificate doesn't check out.
> 
> I have now been in touch with the people who run the mail server and 
> website we are using, and the explanation for this is that they can't 
> afford to buy a certificate from one of the commercial certifying 
> authorities, who charge over £100/year for their certificates.

For clarity I should point out that I don't admin the Aktivix servers,
(though this is what I do for a living), however I'm sure they would
tell you the same things. 

>  These 
> bodies give out certificates which are meant to securely identify the 
> site you are looking at as the one it says that it is. 

This is not strictly true. The purpose of the certificates is to enable
encrypted traffic between a browser and a server*, however it is also
important that the server is who it claims to be. This is why browser
performs a series of checks when it starts an encrypted connection. It
checks to see whether the site presenting the certificate is the one
named in the certificate -- otherwise a fake site could use a real
certificate -- and also checks the to see if certificate authority is
trusted. 

If this is the case the browser can check the certificate is valid using
the Certificate Authority's public key. Its important that the
Certificate Authority is trusted otherwise the validity doesn't really
count for anything. A corrupt CA could issue valid certificates to sites
in false names for example. 

*otherwise traffic is unencrypted and is relatively easy to intercept.
Its worth noting that the security of the encrypted traffic itself is
not determined by the trustworthiness of the certificate per se, but by
the mathematical strength of the keys. It is possible to issue you own
certificates by 'self-signing' them, or setting up your CA and the
encrypted traffic will be just as secure (more so in some cases). This
is a common answer if you can not / do not want to buy a certificate but
the issue remains as to whether you should trust these certificates,
hence cacert.org
 
> I understand it, to protect you against someone who has hijacked part of 
> the connection between you and the website concerned. 

This is more the function of the checks performed against a certificate
as the above hopefully makes clear.
> This is an 
> unlikely form of attack, as to spoof a site in this way you would need 
> to have control over some part of the internet's infrastructure, such as 
> the ISP - 

(Actually you would only need a much smaller part of the whole. In some
cases it is even possible to hijack traffic without having to hijack any
of the intermediate points.)

> most website spoofs work by subtly altering the website's name 
> - e.g. barc1ays.co.uk instead of barclays.co.uk (spot the difference). 
> It's also worth pointing out that it's perfectly possible for a 'bad' 
> site which distributes malware for example to have 'good' certificate - 
> the certificate only guarantees that the website you are viewing is the 
> one it says it is, not whether the content is safe. However, it is 
> technically possible to fake a site in this way, and certificates give 
> some degree of protection against this.

> Instead of paying for a certificate from one of the large commercial 
> bodies who normally provide them, aktivix.org, who are providing the 
> email list, have opted for one from a new, currently relatively small, 
> certifying authority called cacert.org (see www.cacert.org, and 
> http://en.wikipedia.org/wiki/CAcert.org ). This body issues free 
> certificates automatically to websites on the basis that if someone can 
> receive mail directed to postmaster at activix.org (for example), then they 
> are the legitimate owner of that domain name (which is a fair 
> assumption). 

In practice this is not so different from how the large CA's do things.
IN addition cacert.org is trying to build a 'web of trust' to allow a
additional degree of assurance for some certificates (see wikipedia on
this: http://en.wikipedia.org/wiki/Web_of_trust)  

> Unfortunately, cacert is still not recognised as a 
> certifying authority by many distributors of web browsers, so 
> certificates issued by them don't check out in many browsers.
> 
> If this was putting you off subscribing, but you still want to subscribe 
> to the evolving minds list, you have a few options:
> 
> - ignore the security warning temporarily so you can view the relevant 
> page ( https://lists.aktivix.org/mailman/listinfo/evolvingminds ) and 
> subscribe yourself.

Its worth pointing out that subscribing requires no personal information
that needs protecting in this way. The secure server used provides a
level of privacy and security above and beyond that which would normally
be expected and is used elsewhere for similar applications.   

> - ask me to subscribe you by sending me an email.
> - subscribe yourself by email - you can do this by sending mail to 
> EvolvingMinds-request at lists.aktivix.org with the word 'help' in the 
> subject, and waiting for the mail server to send you back instructions 
> on how to subscribe.
> - decide that you are personally willing to trust cacert.org to certify 
> sites, and install their root certificate on your browser. This will 
> prevent such warnings in the future from any site certified by them, 
> which tend to be smaller sites that can't afford the fees charged by the 
> commercial certificate authorities. You can do this by going to:
> http://www.cacert.org/index.php?id=3 and clicking on the link which says 
> 'root certificate (PEM Format)'
> 
> I hope this explanation is reasonably intelligible and gives you some 
> reassurance that there isn't a problem with the email list, or the 
> server it is running on. For what it's worth, I know some of the people 
> involved in aktivix.org, who are a loosely affiliated group of people 
> who provide technical support to various (mainly environmental) campaign 
> groups, and I think they are good people and am personally quite willing 
> to trust the website and also take their advice on installing the 
> cacert.org certificate.
> 
> Looking forward to seeing you on the list,
> 
> andy baxter.
> 
> _______________________________________________
> AktiviX-discuss mailing list
> AktiviX-discuss at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/aktivix-discuss
-- 
      "There are no innocent bystanders,
what were they doing there in the first place?"
             William S. Burroughs

More information about the AktiviX-discuss mailing list