Re: Self-signed key verses Verisign or Thawte

Subject: Re: Self-signed key verses Verisign or Thawte
From: civileme (civileme@mandrakesoft.com)
Date: Wed Jul 17 2002 - 16:25:02 AKDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Mike Barsalou: "RE: Self-signed key verses Verisign or Thawte"
• Previous message: Mike Tibor: "Re: Self-signed key verses Verisign or Thawte"
• In reply to: Mike Barsalou: "Self-signed key verses Verisign or Thawte"
• Next in thread: Mike Barsalou: "RE: Self-signed key verses Verisign or Thawte"
• Reply: civileme: "Re: Self-signed key verses Verisign or Thawte"
• Reply: civileme: "Re: Self-signed key verses Verisign or Thawte"

On Wednesday 17 July 2002 02:12 pm, Mike Barsalou wrote:
> Can someone explain the advantage of having a Certificate from Verisign or
> Thawte over having one self-signed?
>
> Mike
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.

The verification from an independent agency means you do not have to be
concerned about the "man-in-the-middle". Thus attack has been around
actually since TCP sniffing. With an unencrypted connection, you pretend to
be the client to the server and pretend to be the server to the client,
closing and re-opening TCP connections with different sequencing windows. It
is detectable on short hops by an "ACK storm" as the server and client reject
the (to them) out of sequence messages. This desyncronization will work
rather well if there are sufficient hops to absorb all the ACKs.

Using readily available libs (libpcap, libnet, libnids) and some easily
available test software, I can snatch unencrypted stuff from almost anyone as
long as I have a few hops between them and me and between the server and me.

I can also snatch encrypted stuff. All I have to do is get in the middle,
close the windows, reopen them with different keys, and present my
"self-signed certificate" to say I am the server in which they are
interested. As long as I pretend to be the user to the server and the server
to the user, and the user accepts my certificate, I can pass encrypted data,
decrypting it in the middle, because I have passed both of the folks MY key,
conveniently borrowed from some other secure server, and snarfing the odd
password or credit card number.

Now I cannot duplicate the Signature certificate for Verisign or Thawte
because there is a manual process involved to make it and communication with
a third party to verify it.

But this is why it is much more risky to use ssh or ssl against a self-signed
certificate.

Civileme

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: Mike Barsalou: "RE: Self-signed key verses Verisign or Thawte"
• Previous message: Mike Tibor: "Re: Self-signed key verses Verisign or Thawte"
• In reply to: Mike Barsalou: "Self-signed key verses Verisign or Thawte"
• Next in thread: Mike Barsalou: "RE: Self-signed key verses Verisign or Thawte"
• Reply: civileme: "Re: Self-signed key verses Verisign or Thawte"
• Reply: civileme: "Re: Self-signed key verses Verisign or Thawte"

This archive was generated by hypermail 2a23 : Wed Jul 17 2002 - 16:25:05 AKDT