Hi, First we are getting way of topic. Let me rephrase it, I am saying the opposite. No a certificate doesn't tell you the identity of a site, nor if the claimed identity is correct. For HTTPS a certificate, although intended that way, is not in all situations, a reliable source for establishing the identity of a site. You must not only implicitly trust de Certifying Authority, but all intermediate Authorities, between the site certificate and the root certificate. This has proven to be fallible. Both Root Authorities and Intermediate Authorities have been compromised. The net effect is that in the real world, all certificates are suspect to be false. For example, suppose the Google Internet Authority 2 has been compromised. (Hacked is the incorrect slang term, intrusion is better). The intruder, now can create, and issue, false certificates. Now, if the intruder creates a site, say googIe.tld, and make it look like Google. Now if this site is visited, the browser will happily tell you, that the certificate is fine, and the site is what you expect it to be. Only it isn't. So, in one way it identifies the site, because the certificate is trusted in this compromised yet trusted chain of CA's, and you are actually looking at the site which has the certificate. You expect it to be Google, but it isn't. Moreover, since intermediate certificates are issued by most OS building organizations, like Microsoft, Apple, Linux foundations, you also implicitly trust those organizations have their database of certificates up to date, and issue you with new certificates, once it is discovered certificates are compromised. So basically, you put a whole of trust in organizations and people you don't know, or even know they exist. And that is why I said that Certificates are not an identification. Op 16 feb. 2014, om 16:59 heeft Tedd Sperling <tedd@xxxxxxxxxxxx> het volgende geschreven: > On Feb 16, 2014, at 8:45 AM, Jasper Kips <jasper@xxxxxxxxxxxxx> wrote: > >> Op 16 feb. 2014, om 05:26 heeft Tedd Sperling <tedd@xxxxxxxxxxxx> het volgende geschreven: >> >>> I claim that a SSL Certificate is nothing more than a software instrument used by Browsers to alert users that the site they are visiting is indeed the site being reported -- IOW, the identify of the site can be trusted. > >> Yes, you are wrong. A SSL Certificate is NOT (repeat not) an identification of a site. If anything, identificationwise, it is a signed statement by the provider of the certificate, that the provider feels the Certificate details are right, and therefore the site claim to be who the Certificate says it is, could be right. The trustworthiness of the claim that the certificate that it belongs to the site serving it, and thereby establish its identity, is dependent of the trustworthiness of all certificates in the chain of certificates, all the way up to the root certificate. Thus if any certificate in the chain is compromised, the end certificate is not to be trusted. And this happens, more often than we want. Certificate authorities get compromised, more that you think. > > Now I am really confused, because what I said is basically what you said, but yours was more verbose. > > Can you be more specific as to why a SSL Certificate is NOT (repeat not) an identification of a site? > > Cheers, > > tedd > > _______________ > tedd sperling > tedd@xxxxxxxxxxxx > > > > >
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail