Results 1 to 7 of 7
  1. #1
    Join Date
    Jul 2002
    Location
    Australia
    Posts
    29

    Self-signed SSL certs?

    Would anybody know how to make your own ssl certs?

  2. #2
    Join Date
    Jan 2002
    Location
    Kuwait
    Posts
    679
    I'm not sure how they are made, you will probably find a lot of information about them by using google.

    I just wanted to note that a self signed SSL certs will cause an error message to show up in the browser and are prone to man in the middle attacks.
    Ahmad Alhashemi
    PHP, Apache, C, Python, Perl, SQL
    18 related BrainBench certificates

  3. #3
    I just wanted to note that a self signed SSL certs will cause an error message to show up in the browser and are prone to man in the middle attacks.
    Are you saying that a self signed cert is more prone to "man in the middle" attack than a purchased cert? Please explain further.

    Also, on a more general note, can anyone point me to a link of a documented case of a "man in the middle" attack? I can see this attack occuring if you have access to a router close to one of the ends, but a real "man in the middle" attack, it looks good in theory, but I've never seen a documented case.

  4. #4
    Join Date
    Jul 2002
    Location
    San Luis Obispo, CA
    Posts
    818
    openssl genrsa -des3 -out domainname.key 1024

    Creating a private key without file encryption:

    openssl genrsa -out domainname.key 1024

    openssl req -new -key domainname.key -out domainname.csr
    Nick Twaddell
    WebSpace Solutions - Custom E-Solutions
    Fast, Reliable, Affordable Web Hosting

  5. #5
    Join Date
    Jan 2002
    Location
    Atlanta, GA
    Posts
    1,249
    Was it OpenSSL or OpenSSH that had the security hole found in it recently?
    char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }main (){void (*f)() = x;f();}
    I wear a gray hat

  6. #6
    Join Date
    May 2001
    Location
    Houston, TX
    Posts
    195
    Originally posted by Studio64
    Was it OpenSSL or OpenSSH that had the security hole found in it recently?
    OpenSSL had the vulnerabilities recently:
    http://www.cert.org/advisories/CA-2002-23.html

    OpenSSH was trojaned recently:
    http://www.cert.org/advisories/CA-2002-24.html

  7. #7
    Join Date
    Jan 2002
    Location
    Kuwait
    Posts
    679
    Originally posted by driverdave


    Are you saying that a self signed cert is more prone to "man in the middle" attack than a purchased cert? Please explain further.
    Yes. I'm not sure which one of them, but either your public key or your IP address (or both) is stored in your certificate. This will make a man in the middle attack impossible, unless they can get their own certificate with their own public key/IP address in your name (which means that there is a big problem in the CA).


    Also, on a more general note, can anyone point me to a link of a documented case of a "man in the middle" attack? I can see this attack occuring if you have access to a router close to one of the ends, but a real "man in the middle" attack, it looks good in theory, but I've never seen a documented case.
    I don't currently have a link or something, but a man in the middle attack can be done anywhere there is a vulnerable DNS server. Say for example, I hack into my ISP's DNS server and change the IP address for Amazon.com to point to my own server.

    Then I can act as a man in the middle between Amazon and the client. So anything he sends me I send to Amazon, anything I get from Amazon I send back to him.
    Ahmad Alhashemi
    PHP, Apache, C, Python, Perl, SQL
    18 related BrainBench certificates

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •