Re: Self-signed SSL cert vs. CA on same server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Chris,

In your case, it doesn't sound like putting a CA on
your web-server will provide any extra security.

The only secure way to ensure your client is connected
to the server it expect to be, is for someone to
manually copy(out of band perfered) the certificate of
the server and load it on the client before the first
session.  This does not scale for the Internet so CAs
were invented.

CAs can generate a certificate for itself or have it
generated by another CA.  I'll only talk about
self-generation here.  Someone has to manually copy
this self-generated certificate onto all clients. 
Now, this CA can sign certificates for other servers. 
All clients with your CA's certificate will "trust"
certificates sign that your CA.

Normally, your browers already has a set of CA
certificates that your vendor deems trustworthy.  You
must add your own CA's certificate to all PCs manually
to protect against the man-in-the-middle-attack. 
Otherwise, having a CA or your server signing its own
certificate is no different.

This is a very simplified explanation of CAs.  If you
choose to implemenat a CA, please do NOT put the CA on
the same machine as you apache server.  That's the
most insecure thing you can do.

-Sherwin

--- Chris de Vidal <cdevidal@xxxxxxxxx> wrote:
> I'm implimenting an intranet web server and will
> need SSL.  I know of the
> dangers of using a self-signed certificate.  I see
> it is trivial to create a
> Certificate Authority (CA) but is it really more
> secure?  In other words,
> couldn't someone still craft a man-in-the-middle
> attack?
> 
> Ideally, I'd place the CA on the same box as the web
> server, but I can move it
> if that's more secure.
> 
> =====
> /dev/idal
> "GNU/Linux is free freedom" --Me
> 
> __________________________________
> Do you Yahoo!?
> Exclusive Video Premiere - Britney Spears
> http://launch.yahoo.com/promos/britneyspears/
>
------------------------------------------------------------------------
>      To unsubscribe email
> security-discuss-request@xxxxxxxxxxxxxxxxx
>          with "unsubscribe" in the subject of the
> message.
> 


=====
Best Regards,
Sherwin Lu

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/
------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux