← Back to context

Comment by pilif

11 years ago

How would a browser know that the the self-signed certificate that was just presented for www.mybank.com is intended to be self-signed (show no error, but also show no padlock) or whether it's the result of a MITM attack because www.mybank.com is supposed to present a properly signed certificate (show error)?

How would you inform people going to www.mybank.com which is presenting a self-signed cert in a way that a) they clearly notice but that b) doesn't annoy you when you connect to www.myblog.com which also is presenting a self-signed cert?

7 comments

pilif

Reply
seryoiupfurds  11 years ago

If the user typed www.mybank.com, let the server redirect to https but don't show the lock icon if it's self-signed. This is no worse than an impostor that just doesn't redirect to https.

If the user typed https://www.mybank.com, show the usual warning for self-signed certificates.

  • handsomeransoms  11 years ago

    How many people are careful to type "https" every time they visit a website? How many people pay close attention to the lock icon/color of the URL bar? This advice seems to ignore the existence of sslstrip [0] and related attacks, and the numerous countermeasures that have been designed to deal with this problem (e.g. HSTS).

    [0] http://www.thoughtcrime.org/software/sslstrip/

  • blendo  11 years ago

    This is EXACTLY what I want for my intranet sites. It lets me protect my users from the wireshark in the next cubicle.

    • tacticus  11 years ago

      The solution for this is to run your own CA internally and push out the cert to all the machines. (if you have byod stuff it makes it a little harder but you could still have an internal ca signing only a certain subdomain and get people ot install it)

    • motoboi  11 years ago

      But that don't protect you from a malicious user hijacking this domain in the next cubicle. Perhaps, if your switches are not properly configured , that the guy in the next cubicle ou do some arp spoofing and https://intranet.yourdomain would be served by a bogus server collecting passwords.

      But your users won't notice the difference, because they are used to see the certificate warning on his browser.

jules  11 years ago

How would a browser know that the fact that www.mybank.com doesn't use SSL at all is intended by the bank, or the result of a MITM attack? At the end of the day it all relies on the user seeing the (lack of) a padlock in his browser. So as long as you don't show a padlock (or a different kind of padlock) for www.mybank.com when the certificate is self signed, you're good.

_partek  11 years ago

You would have to simply install the certificate for the CA that signed the certificate. Self-signed just means that YOU are the CA.