SSL Trusted Certificates???
Curious Cat
than me with this stuff, then please enlighten me.
To help test the my new server support for SSL, I used, OE, IE, and
Netscape. They all worked except for the fact they said one "the
certificate either expired or isn't trusted." OE, IE, and NS allowed me to
continue.
Ok, I can understand this. You need it up to the user to "accept" the
certificate.
Then I installed Eudora to test SSL and it didn't accept it saying the
"domain" did not match. I tried to tell it to "add it to the trusted list"
but it continues not to accept it.
Anyway, this got me thinking "what makes" the certificate trusted or put
another way "why is the client" determining if a certificate is trusted or
not?
So I started to write some client software to connect in SSL mode to see
what makes the client determine all this.
Well, I just finished writing these client applications and it all works
fine.
It other words, it is UP to the client to connect to the the server in SSL
mode, exchange the certification information and it seems that as long as
the information is DECRYPTED properly, everything is fine. The client does
NOT have to check the certification information to determine whether
something is VALID or not.
So either I am missing something or this is just the BIGGEST security hole
in the WORLD! No wonder HACKERS can do anything they want. All they have
to do is write their own CLIENT. They don't have to USE OE, IE, NS or
EUDORA. They can write their own SSL client.
In my opinion it should be the OTHER way around too. The client should
sent SOMETHING to the server saying "this is a valid client." I read about
some of this on the net, and I see talk, a lot of talk. This seems to be
the biggest security issue surrounding SSL and SSH and that SSH, it is
WORST because atleast with SSL you can make it so that the CLIENT sends a
certificate. But not so with SSH.
I mean, I just finished writing these clients with SSL support so I can test
SSL server and unless I make it "TIGHT" it can be used on ANY SSL system!
Maybe I am missing something about this. Maybe I missed the main point
that SSL and SSH is not to "secure WHO" connects but rather "secure the data
that is exchanged/" It doesn't matter who connects, I mean a user still has
to log in, but all this talk about "trusted certificates" seems like a big
lie. There is no SUCH thing as a TRUSTED certificate.
I just don't see it.
Can you explain this to me?
thanks
David Cross [MS]
certs, etc. Remember that server side SSL, is to protect the client, not
the server. The server can do mutual authentication as well and require the
client to have a cert and can check the status of the client cert too.
--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Curious Cat" <c...@meow.com> wrote in message
news:eQjYQ5zVCHA.2444@tkmsftngp09...