[AktiviX-discuss] Why is the security certificate bad?
andy baxter
andy at earthsong.free-online.co.uk
Mon Dec 3 17:34:28 UTC 2007
Paul M wrote:
> On Mon, 2007-12-03 at 05:49 +0000, andy baxter wrote:
>
>> I have sent the following explanation to the people I was inviting to
>> join the list. If you get the time, could you check it through and let
>> me know whether it looks like reasonable advice (I am not 100% sure
>> about some of the details, like the kind of attacks that certificates
>> are meant to prevent.)
>>
>
> The advice is good, I have written comments/corrections on the other
> stuff inline.
>
Thanks for your help.
andy.
>
>> thanks,
>>
>> andy.
>>
>> ------------------- forwarded message ---------------------
>>
>> I'm just sending this because I've had an email from someone saying they
>> had a problem subscribing to the list. The problem is that when you
>> access the website you subscribe through, the browser warns you that the
>> site's security certificate doesn't check out.
>>
>> I have now been in touch with the people who run the mail server and
>> website we are using, and the explanation for this is that they can't
>> afford to buy a certificate from one of the commercial certifying
>> authorities, who charge over £100/year for their certificates.
>>
>
> For clarity I should point out that I don't admin the Aktivix servers,
> (though this is what I do for a living), however I'm sure they would
> tell you the same things.
>
>
>> These
>> bodies give out certificates which are meant to securely identify the
>> site you are looking at as the one it says that it is.
>>
>
> This is not strictly true. The purpose of the certificates is to enable
> encrypted traffic between a browser and a server*, however it is also
> important that the server is who it claims to be. This is why browser
> performs a series of checks when it starts an encrypted connection. It
> checks to see whether the site presenting the certificate is the one
> named in the certificate -- otherwise a fake site could use a real
> certificate -- and also checks the to see if certificate authority is
> trusted.
>
> If this is the case the browser can check the certificate is valid using
> the Certificate Authority's public key. Its important that the
> Certificate Authority is trusted otherwise the validity doesn't really
> count for anything. A corrupt CA could issue valid certificates to sites
> in false names for example.
>
> *otherwise traffic is unencrypted and is relatively easy to intercept.
> Its worth noting that the security of the encrypted traffic itself is
> not determined by the trustworthiness of the certificate per se, but by
> the mathematical strength of the keys. It is possible to issue you own
> certificates by 'self-signing' them, or setting up your CA and the
> encrypted traffic will be just as secure (more so in some cases). This
> is a common answer if you can not / do not want to buy a certificate but
> the issue remains as to whether you should trust these certificates,
> hence cacert.org
>
>
>> I understand it, to protect you against someone who has hijacked part of
>> the connection between you and the website concerned.
>>
>
> This is more the function of the checks performed against a certificate
> as the above hopefully makes clear.
>
>> This is an
>> unlikely form of attack, as to spoof a site in this way you would need
>> to have control over some part of the internet's infrastructure, such as
>> the ISP -
>>
>
> (Actually you would only need a much smaller part of the whole. In some
> cases it is even possible to hijack traffic without having to hijack any
> of the intermediate points.)
>
>
>> most website spoofs work by subtly altering the website's name
>> - e.g. barc1ays.co.uk instead of barclays.co.uk (spot the difference).
>> It's also worth pointing out that it's perfectly possible for a 'bad'
>> site which distributes malware for example to have 'good' certificate -
>> the certificate only guarantees that the website you are viewing is the
>> one it says it is, not whether the content is safe. However, it is
>> technically possible to fake a site in this way, and certificates give
>> some degree of protection against this.
>>
>
>
>> Instead of paying for a certificate from one of the large commercial
>> bodies who normally provide them, aktivix.org, who are providing the
>> email list, have opted for one from a new, currently relatively small,
>> certifying authority called cacert.org (see www.cacert.org, and
>> http://en.wikipedia.org/wiki/CAcert.org ). This body issues free
>> certificates automatically to websites on the basis that if someone can
>> receive mail directed to postmaster at activix.org (for example), then they
>> are the legitimate owner of that domain name (which is a fair
>> assumption).
>>
>
> In practice this is not so different from how the large CA's do things.
> IN addition cacert.org is trying to build a 'web of trust' to allow a
> additional degree of assurance for some certificates (see wikipedia on
> this: http://en.wikipedia.org/wiki/Web_of_trust)
>
>
>> Unfortunately, cacert is still not recognised as a
>> certifying authority by many distributors of web browsers, so
>> certificates issued by them don't check out in many browsers.
>>
>> If this was putting you off subscribing, but you still want to subscribe
>> to the evolving minds list, you have a few options:
>>
>> - ignore the security warning temporarily so you can view the relevant
>> page ( https://lists.aktivix.org/mailman/listinfo/evolvingminds ) and
>> subscribe yourself.
>>
>
> Its worth pointing out that subscribing requires no personal information
> that needs protecting in this way. The secure server used provides a
> level of privacy and security above and beyond that which would normally
> be expected and is used elsewhere for similar applications.
>
>
>> - ask me to subscribe you by sending me an email.
>> - subscribe yourself by email - you can do this by sending mail to
>> EvolvingMinds-request at lists.aktivix.org with the word 'help' in the
>> subject, and waiting for the mail server to send you back instructions
>> on how to subscribe.
>> - decide that you are personally willing to trust cacert.org to certify
>> sites, and install their root certificate on your browser. This will
>> prevent such warnings in the future from any site certified by them,
>> which tend to be smaller sites that can't afford the fees charged by the
>> commercial certificate authorities. You can do this by going to:
>> http://www.cacert.org/index.php?id=3 and clicking on the link which says
>> 'root certificate (PEM Format)'
>>
>> I hope this explanation is reasonably intelligible and gives you some
>> reassurance that there isn't a problem with the email list, or the
>> server it is running on. For what it's worth, I know some of the people
>> involved in aktivix.org, who are a loosely affiliated group of people
>> who provide technical support to various (mainly environmental) campaign
>> groups, and I think they are good people and am personally quite willing
>> to trust the website and also take their advice on installing the
>> cacert.org certificate.
>>
>> Looking forward to seeing you on the list,
>>
>> andy baxter.
>>
>> _______________________________________________
>> AktiviX-discuss mailing list
>> AktiviX-discuss at lists.aktivix.org
>> https://lists.aktivix.org/mailman/listinfo/aktivix-discuss
>>
More information about the AktiviX-discuss
mailing list