[AktiviX-discuss] Why is the security certificate bad?

andy baxter andy at earthsong.free-online.co.uk
Mon Dec 3 17:34:28 UTC 2007 

Paul M wrote:
> On Mon, 2007-12-03 at 05:49 +0000, andy baxter wrote:
>   
>> I have sent the following explanation to the people I was inviting to 
>> join the list. If you get the time, could you check it through and let 
>> me know whether it looks like reasonable advice (I am not 100% sure 
>> about some of the details, like the kind of attacks that certificates 
>> are meant to prevent.)
>>     
>
> The advice is good, I have written comments/corrections on the other
> stuff inline.
>   

Thanks for your help.

andy.
>   
>> thanks,
>>
>> andy.
>>
>> ------------------- forwarded message ---------------------
>>
>> I'm just sending this because I've had an email from someone saying they 
>> had a problem subscribing to the list. The problem is that when you 
>> access the website you subscribe through, the browser warns you that the 
>> site's security certificate doesn't check out.
>>
>> I have now been in touch with the people who run the mail server and 
>> website we are using, and the explanation for this is that they can't 
>> afford to buy a certificate from one of the commercial certifying 
>> authorities, who charge over £100/year for their certificates.
>>     
>
> For clarity I should point out that I don't admin the Aktivix servers,
> (though this is what I do for a living), however I'm sure they would
> tell you the same things. 
>
>   
>>  These 
>> bodies give out certificates which are meant to securely identify the 
>> site you are looking at as the one it says that it is. 
>>     
>
> This is not strictly true. The purpose of the certificates is to enable
> encrypted traffic between a browser and a server*, however it is also
> important that the server is who it claims to be. This is why browser
> performs a series of checks when it starts an encrypted connection. It
> checks to see whether the site presenting the certificate is the one
> named in the certificate -- otherwise a fake site could use a real
> certificate -- and also checks the to see if certificate authority is
> trusted. 
>
> If this is the case the browser can check the certificate is valid using
> the Certificate Authority's public key. Its important that the
> Certificate Authority is trusted otherwise the validity doesn't really
> count for anything. A corrupt CA could issue valid certificates to sites
> in false names for example. 
>
> *otherwise traffic is unencrypted and is relatively easy to intercept.
> Its worth noting that the security of the encrypted traffic itself is
> not determined by the trustworthiness of the certificate per se, but by
> the mathematical strength of the keys. It is possible to issue you own
> certificates by 'self-signing' them, or setting up your CA and the
> encrypted traffic will be just as secure (more so in some cases). This
> is a common answer if you can not / do not want to buy a certificate but
> the issue remains as to whether you should trust these certificates,
> hence cacert.org
>  
>   
>> I understand it, to protect you against someone who has hijacked part of 
>> the connection between you and the website concerned. 
>>     
>
> This is more the function of the checks performed against a certificate
> as the above hopefully makes clear.
>   
>> This is an 
>> unlikely form of attack, as to spoof a site in this way you would need 
>> to have control over some part of the internet's infrastructure, such as 
>> the ISP - 
>>     
>
> (Actually you would only need a much smaller part of the whole. In some
> cases it is even possible to hijack traffic without having to hijack any
> of the intermediate points.)
>
>   
>> most website spoofs work by subtly altering the website's name 
>> - e.g. barc1ays.co.uk instead of barclays.co.uk (spot the difference). 
>> It's also worth pointing out that it's perfectly possible for a 'bad' 
>> site which distributes malware for example to have 'good' certificate - 
>> the certificate only guarantees that the website you are viewing is the 
>> one it says it is, not whether the content is safe. However, it is 
>> technically possible to fake a site in this way, and certificates give 
>> some degree of protection against this.
>>     
>
>   
>> Instead of paying for a certificate from one of the large commercial 
>> bodies who normally provide them, aktivix.org, who are providing the 
>> email list, have opted for one from a new, currently relatively small, 
>> certifying authority called cacert.org (see www.cacert.org, and 
>> http://en.wikipedia.org/wiki/CAcert.org ). This body issues free 
>> certificates automatically to websites on the basis that if someone can 
>> receive mail directed to postmaster at activix.org (for example), then they 
>> are the legitimate owner of that domain name (which is a fair 
>> assumption). 
>>     
>
> In practice this is not so different from how the large CA's do things.
> IN addition cacert.org is trying to build a 'web of trust' to allow a
> additional degree of assurance for some certificates (see wikipedia on
> this: http://en.wikipedia.org/wiki/Web_of_trust)  
>
>   
>> Unfortunately, cacert is still not recognised as a 
>> certifying authority by many distributors of web browsers, so 
>> certificates issued by them don't check out in many browsers.
>>
>> If this was putting you off subscribing, but you still want to subscribe 
>> to the evolving minds list, you have a few options:
>>
>> - ignore the security warning temporarily so you can view the relevant 
>> page ( https://lists.aktivix.org/mailman/listinfo/evolvingminds ) and 
>> subscribe yourself.
>>     
>
> Its worth pointing out that subscribing requires no personal information
> that needs protecting in this way. The secure server used provides a
> level of privacy and security above and beyond that which would normally
> be expected and is used elsewhere for similar applications.   
>
>   
>> - ask me to subscribe you by sending me an email.
>> - subscribe yourself by email - you can do this by sending mail to 
>> EvolvingMinds-request at lists.aktivix.org with the word 'help' in the 
>> subject, and waiting for the mail server to send you back instructions 
>> on how to subscribe.
>> - decide that you are personally willing to trust cacert.org to certify 
>> sites, and install their root certificate on your browser. This will 
>> prevent such warnings in the future from any site certified by them, 
>> which tend to be smaller sites that can't afford the fees charged by the 
>> commercial certificate authorities. You can do this by going to:
>> http://www.cacert.org/index.php?id=3 and clicking on the link which says 
>> 'root certificate (PEM Format)'
>>
>> I hope this explanation is reasonably intelligible and gives you some 
>> reassurance that there isn't a problem with the email list, or the 
>> server it is running on. For what it's worth, I know some of the people 
>> involved in aktivix.org, who are a loosely affiliated group of people 
>> who provide technical support to various (mainly environmental) campaign 
>> groups, and I think they are good people and am personally quite willing 
>> to trust the website and also take their advice on installing the 
>> cacert.org certificate.
>>
>> Looking forward to seeing you on the list,
>>
>> andy baxter.
>>
>> _______________________________________________
>> AktiviX-discuss mailing list
>> AktiviX-discuss at lists.aktivix.org
>> https://lists.aktivix.org/mailman/listinfo/aktivix-discuss
>>

More information about the AktiviX-discuss mailing list