Two tiered SSL certificates
Online security is a pretty hot item. People want to feel safe when they browse the web or interact with others via instant messaging. Currently, many of these activities are done in plain text without any encryption.
It would be very trivial to setup a wireless hotspot in a busy area and wait for someone to use your internet connection. Since you are in control of their gateway to the internet, you can see all of the traffic going in and out.
If the traffic is encrypted, it’s just gibberish. Unless a very weak encryption method is used, it would take geological time for anyone to crack the code and get at the data. If it’s in plain text, then all traffic can be viewed with no effort at all. This includes instant messaging conversations, emails, websites visited, forms filled out, and the list goes on.
Many sites that require sensitive data from users set up their web server to use SSL/TLS which creates a secure tunnel between the browser and the server. Now someone in the middle can’t view what I entered into the form when I post it to the site.
Setting up a web server to do this is very simple. The server basically has a certificate and private key that match. The browser verifies the match and continues to verify this throughout the session to ensure it wasn’t hijacked.
If I generate a certificate myself and install everything correctly, a user is still given a warning (sometimes even an error). This is because my certificate is self signed and not signed by a third party company such as Verisign who charge a hefty fee (sometimes hundreds or thousands of dollars). Cheaper signed certificates can be had from companies like GoDaddy but there isn’t a free option that won’t cause an error/warning in the browser.
This is stupid. Why should someone need to pay to be able to encrypt the traffic to their server when all the technologies are already free or paid for?
My proposition is a two tier system. Browsers will not warn a user if a certificate is valid even if self signed but only display the padlock icon if it is signed by one of the pre-installed certificate of authorities.
Then site owners could ensure greater security of their site without the need to purchase a certificate. As a side benefit, it could, in theory flood the internet with a large amount of encrypted traffic making spying efforts logistically unsound as it would take more effort to filter the noise and anyone doing anything even remotely illegal will be encrypted anyway making activities such as taping into a backbone not very fruitful.
5 Responses to “Two tiered SSL certificates”
There is a free root (known as cacert.org ) I think they might be in some linux distributions firefox, which is well better than self-signed.
I agree that this is a good solution but unless its supported in most browsers, it’s rubbish.
Firefox on the Linux desktop is a very tiny portion of the market share who are likely to already be tech saavy enough to not mind the warning anyway.
Firefox including a free CA on all builds of their browser is what’s needed to take hold.
Have you heard of a Man In The Middle attack?
I run a public wifi hotspot, but proxy all traffic to your bank through my server, which uses a self-signed ssl certificate. You are not warned by your browser, and bank online care free. I now have your credentials, even though everything you sent *was* encrypted.
Fail.
You pay Verisign to verify that the certificates they issue are only issued to the rightful owner of that domain. Whether or not they actually do that is a different question.
Nick you fail to see my point. I understand this can be faked. I mistakenly used the wrong example because I realize that it won’t solve these sorts problems and don’t intend to use this to solve them.
My point is that why should a normal person, not an attacker with a site not be able to use SSL without having a warning in a user’s browser? A free CA that’s pre-installed would work for that just fine.
Seth:
“My point is that why should a normal person, not an attacker with a site not be able to use SSL without having a warning in a user’s browser? A free CA that’s pre-installed would work for that just fine.”
Who decides if you’re an attacker or not? Someone has to - and that’s the checking part that costs CAs money, which is why they charge.
Actually, the product you ask for already exists. It’s called a DV (Domain Validated) certificate. The ‘checking’ is done by verifying your ownership of the domain (usually via emailing a contact from the WHOIS or someone@thedomain.com). As this can be automated, the cost is dramatically less. If you look around, the certs can be had for anything from $50 to $10.
Leave a Reply