Some Nerdy Stuff

February 1, 2010

Are self-signed certificates with https less secure than http alone?

Filed under: Uncategorized — aaronls @ 8:27 am

I was hoping to find a way to use a self-signed certificate over https to prevent eaves dropping.  I do understand that this is vulnerable to man-in-the-middle attacks.  Unfortunately, browsers seem to view this as less secure than http, because they display many alarming warnings that a user must click through that otherwise are not present when accessing an http website.  This sends a clear message to the user that a site with a self-signed certificate is significantly less secure than a http website.  I would argue these warnings are unwarranted, and at a minimum, a self-signed certificate site over https should appear to be no less secure than a regular http website.

I suppose if you are on a network where someone has managed to spoof a major banks website and use a self signed certificate, you’d want lots of red flags to go up to alert users.  However, if they have been able to compromise the DNS or have one of their own on the network that traffic is using, allowing them to redirect requests for the bank’s website, then they are just as capable of leaving the user on an http connection(because most users don’t type the https in the URL and rely on a redirection from the website) logging the traffic, and performing the SSL handshake with the destination website.   Thus the user will get no warnings at all(other than the lack of subtle visual cues, but these are nothing compared to big red warnings boxes).  So I feel like the warnings present for self-signed certificates really only have the impact of adding a few more relatively simple(compared to how far they’ve already come to perpetrate the attack) steps for the hacker.  Therefore, I would say that the warnings presented for websites using self-signed certificates do not significantly reduce the scenarios in which a connection can be compromised.

As an example, let’s say I would like to setup a website that is a casual online game.  I will be collecting non-sensitive data, but I would like to at least eliminate scenarios where a malicious party could eaves drop on the connection and use that to steal the user’s account for the game.  With a self-signed certificate and SSL, I can at least provide protection against eaves dropping scenarios.

So, in conclusion, I would have hoped that a website that uses a self-signed certificate would raise no more red flags than a regular http website.  Let me make clear that I don’t expect them to get the “this website is secure” seal of approval and visual cues that you get for secure websites, but I strongly believe the alarming warnings are very inappropriate.

However, johnath feels the warnings are appropriate because there are point and click programs that can log encrypted traffic by spoofing self-signed certificates. I don’t see how this makes such a scenario warrant warnings when the same logging can occur over http.  I feel that if one applied the same logic to http connections, then you would be displaying the same alarming warnings.  Maybe you believe that your average user knows http: means that the site is alarmingly insecure, and therefore alarming warnings are unnecessary.  As johnath points out though, you can get free certificates from StartSSL.com that will not give you warnings in Firefox 3 because the root certificate is included.  I’m skeptical as to what the catch might be with these free certificates though, if there is a catch.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: