I know little about security certificates but am following advice to check
the details when using an HTTPS site. Can anyone tell me what the Install
Certificate option is when I check, for instance GRC's certificate?

Thanks for your time

Galadrial wrote:

> I know little about security certificates but am following advice to check
> the details when using an HTTPS site. Can anyone tell me what the Install
> Certificate option is when I check,


It locally stores the certificate for later comparison when it's a root cert.

> for instance GRC's certificate?


Then for nothing. You visited a charlatan's website and you want to add his
self-signed root cert to your cert store? Utterly foolish.

On Sun, 26 Aug 2007 12:09:23 GMT, "Galadrial"
<galadrial@hogold.freeserve.co.uk> wrote:

>I know little about security certificates but am following advice to check
>the details when using an HTTPS site. Can anyone tell me what the Install
>Certificate option is when I check, for instance GRC's certificate?
>
>Thanks for your time

I think Certificates on a web server have three uses

1. To show that the site is genuine
2. To encrypt the session
3. To generate an income for the certificate authority (CA)

Because the CA takes reasonable care not to issue, for
example a certificate saying 'Microsoft' to joe hacker
then it establishes trust that you really are dealing
with say, Microsoft.

If you can trust that the site you are using really
is genuine, and it happens to be someone who has generated
his own certificate, because they know how and wish to
avoid paying a CA, then its OK to add it to your browser.

The CA root certificates get added automatically by the
browser authors, but obviously they do not cater for people
who 'roll their own' so there is the provision to add them
yourself, under caution.

For a serious e-commerce website, its a false economy to
do this, although I do know a large bank who use the wrong
certificate on their electronic banking site. For a small
e-commerce site, like GRC's its reasonable.

You either trust him or you don't. I use spinrite and
its saved my arse, and he did pick up on the 'real downloader'
spyware issue rather well when I mentioned it to him, so I
think he is OK, Sebastian seems to be of the other view.

Not that it matters much.
--
Jim Watt
http://www.gibnet.com

Thanks Jim, getting clearer. To summarise, if the certificate is issued by
the website themselves then be very sure before installing. Just not clear
what, if anything, I am missing out on by not installing - whether a self
certificate I decide to trust or one issued by a known and trusted authority
(Versign in GRC's case)? I have not problem with GRC's site, the
certificate looks fine and I'm not getting any warnings.

"Jim Watt" <jimwatt@aol.no_way> wrote in message
news:5g25d3p363c5j7tkb1ugp8ff3l5akg6h43@4ax.com...
> On Sun, 26 Aug 2007 12:09:23 GMT, "Galadrial"
> <galadrial@hogold.freeserve.co.uk> wrote:
>
>>I know little about security certificates but am following advice to check
>>the details when using an HTTPS site. Can anyone tell me what the Install
>>Certificate option is when I check, for instance GRC's certificate?
>>
>>Thanks for your time
>
> I think Certificates on a web server have three uses
>
> 1. To show that the site is genuine
> 2. To encrypt the session
> 3. To generate an income for the certificate authority (CA)
>
> Because the CA takes reasonable care not to issue, for
> example a certificate saying 'Microsoft' to joe hacker
> then it establishes trust that you really are dealing
> with say, Microsoft.
>
> If you can trust that the site you are using really
> is genuine, and it happens to be someone who has generated
> his own certificate, because they know how and wish to
> avoid paying a CA, then its OK to add it to your browser.
>
> The CA root certificates get added automatically by the
> browser authors, but obviously they do not cater for people
> who 'roll their own' so there is the provision to add them
> yourself, under caution.
>
> For a serious e-commerce website, its a false economy to
> do this, although I do know a large bank who use the wrong
> certificate on their electronic banking site. For a small
> e-commerce site, like GRC's its reasonable.
>
> You either trust him or you don't. I use spinrite and
> its saved my arse, and he did pick up on the 'real downloader'
> spyware issue rather well when I mentioned it to him, so I
> think he is OK, Sebastian seems to be of the other view.
>
> Not that it matters much.
> --
> Jim Watt
> http://www.gibnet.com

Jim Watt <jimwatt@aol.no_way> wrote in
news:5g25d3p363c5j7tkb1ugp8ff3l5akg6h43@4ax.com:

....
> Because the CA takes reasonable care not to issue, for
> example a certificate saying 'Microsoft' to joe hacker
> then it establishes trust that you really are dealing
> with say, Microsoft.
....

Funny you should pick Microsoft as your example regarding this point. In
January 2001, VeriSign **erroneously issued** two Class 3 code-signing
certificates to someone falsely claiming to represent Microsoft. It was 6
weeks before anyone noticed!

Regards,

On 27 Aug 2007 13:07:51 GMT, "nemo_outis" <abc@xyz.com> wrote:

>Jim Watt <jimwatt@aol.no_way> wrote in
>news:5g25d3p363c5j7tkb1ugp8ff3l5akg6h43@4ax.com:
>
>...
>> Because the CA takes reasonable care not to issue, for
>> example a certificate saying 'Microsoft' to joe hacker
>> then it establishes trust that you really are dealing
>> with say, Microsoft.
>...
>
>Funny you should pick Microsoft as your example regarding this point. In
>January 2001, VeriSign **erroneously issued** two Class 3 code-signing
>certificates to someone falsely claiming to represent Microsoft. It was 6
>weeks before anyone noticed!

Well spotted:)
--
Jim Watt
http://www.gibnet.com

On Mon, 27 Aug 2007 10:48:35 +0200, Jim Watt wrote:

> On Sun, 26 Aug 2007 12:09:23 GMT, "Galadrial"
> <galadrial@hogold.freeserve.co.uk> wrote:
>
>>I know little about security certificates but am following advice to check
>>the details when using an HTTPS site. Can anyone tell me what the Install
>>Certificate option is when I check, for instance GRC's certificate?
>>
>>Thanks for your time
>
> I think Certificates on a web server have three uses
>
> 1. To show that the site is genuine
> 2. To encrypt the session
> 3. To generate an income for the certificate authority (CA)
>
> Because the CA takes reasonable care not to issue, for
> example a certificate saying 'Microsoft' to joe hacker
> then it establishes trust that you really are dealing
> with say, Microsoft.
>
> If you can trust that the site you are using really
> is genuine, and it happens to be someone who has generated
> his own certificate, because they know how and wish to
> avoid paying a CA, then its OK to add it to your browser.
>
> The CA root certificates get added automatically by the
> browser authors, but obviously they do not cater for people
> who 'roll their own' so there is the provision to add them
> yourself, under caution.
>
> For a serious e-commerce website, its a false economy to
> do this, although I do know a large bank who use the wrong
> certificate on their electronic banking site. For a small
> e-commerce site, like GRC's its reasonable.
>
> You either trust him or you don't. I use spinrite and
> its saved my arse, and he did pick up on the 'real downloader'
> spyware issue rather well when I mentioned it to him, so I
> think he is OK, Sebastian seems to be of the other view.
>
> Not that it matters much.

Complicating the CA issue is Comodo's free issuance of CAs.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

On Sun, 2 Sep 2007 18:08:51 -0400, Ari <arisilverstein@yahoo.com>
wrote:

>On Mon, 27 Aug 2007 10:48:35 +0200, Jim Watt wrote:
>
>> On Sun, 26 Aug 2007 12:09:23 GMT, "Galadrial"
>> <galadrial@hogold.freeserve.co.uk> wrote:
>>
>>>I know little about security certificates but am following advice to check
>>>the details when using an HTTPS site. Can anyone tell me what the Install
>>>Certificate option is when I check, for instance GRC's certificate?
>>>
>>>Thanks for your time
>>
>> I think Certificates on a web server have three uses
>>
>> 1. To show that the site is genuine
>> 2. To encrypt the session
>> 3. To generate an income for the certificate authority (CA)
>>
>> Because the CA takes reasonable care not to issue, for
>> example a certificate saying 'Microsoft' to joe hacker
>> then it establishes trust that you really are dealing
>> with say, Microsoft.
>>
>> If you can trust that the site you are using really
>> is genuine, and it happens to be someone who has generated
>> his own certificate, because they know how and wish to
>> avoid paying a CA, then its OK to add it to your browser.
>>
>> The CA root certificates get added automatically by the
>> browser authors, but obviously they do not cater for people
>> who 'roll their own' so there is the provision to add them
>> yourself, under caution.
>>
>> For a serious e-commerce website, its a false economy to
>> do this, although I do know a large bank who use the wrong
>> certificate on their electronic banking site. For a small
>> e-commerce site, like GRC's its reasonable.

>Complicating the CA issue is Comodo's free issuance of CAs.

Not really because their offer is not really free its
rather like shareware

"Free SSL Certificates provide full Secure Sockets Layer functionality
for 90 days"

So after 90 days you have to pay them like any other CA

Anyone can issue a certificate, what you pay for is the trust
element, and that the CA is included by default in everyones
web browser.

For a commercial website, basically you need to buy a certificate
and its part of the cost of operation.

For some circumstances any certificate, including one you generate
yourself will do.

Who can be a CA is also covered by an EU directive which is
implemented in the laws of the jurisdiction where it does
business. Non EU countries may have their own restrictions
and laws.
--
Jim Watt
http://www.gibnet.com

On Mon, 03 Sep 2007 11:51:15 +0200, Jim Watt wrote:

>>> For a serious e-commerce website, its a false economy to
>>> do this, although I do know a large bank who use the wrong
>>> certificate on their electronic banking site. For a small
>>> e-commerce site, like GRC's its reasonable.
>
>>Complicating the CA issue is Comodo's free issuance of CAs.
>
> Not really because their offer is not really free its
> rather like shareware

<http://www.comodo.com/products/certificate_services/email_certificate.html>
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

On Mon, 3 Sep 2007 22:49:22 -0400, Ari <arisilverstein@yahoo.com>
wrote:

>On Mon, 03 Sep 2007 11:51:15 +0200, Jim Watt wrote:
>
>>>> For a serious e-commerce website, its a false economy to
>>>> do this, although I do know a large bank who use the wrong
>>>> certificate on their electronic banking site. For a small
>>>> e-commerce site, like GRC's its reasonable.
>>
>>>Complicating the CA issue is Comodo's free issuance of CAs.
>>
>> Not really because their offer is not really free its
>> rather like shareware
>
><http://www.comodo.com/products/certificate_services/email_certificate.html>

OK but their offer of certificates for a secure server is
90 days free trial then pay. Not saying its unfair because
we all need to make a living but free its not.

Verisign used to give away free certificates for email too.
--
Jim Watt
http://www.gibnet.com

Pleased to see my original question provoked some discussion but I'm none
the wiser ..

.... if I go to a bank website, see Https, check out the certificate and have
the option to "Install Certificate", should I ? what do I gain or lose by
doing so or not?

On Tue, 04 Sep 2007 17:25:29 GMT, "Galadrial"
<galadrial@hogold.freeserve.co.uk> wrote:

>Pleased to see my original question provoked some discussion but I'm none
>the wiser ..
>
>... if I go to a bank website, see Https, check out the certificate and have
>the option to "Install Certificate", should I ? what do I gain or lose by
>doing so or not?

Perhaps you did not understand the answer;

However you should NOT install a certificate for a
bank !!! nor should you be required to do so.

In the context of this newsgroup GRC is taken to mean
Gibson Research www.grc.com some think he is a god
amongst computer men and others are atheists. I find
some of his stuff useful and good value for money.

Now the owner of that (an myself) are quite capable of
generating our own SSL certificates which would not be
automatically recognised by your browser.

If you chose to install a 'home made' certificate you are
telling your computer that YOU trust that it is genuine.

With a paid certificate issued by a Certificate Authority
(CA), say Verisign you do not have to tell your machine to
trust them because it relies on them not to issue certificates
to crooks or the wrong people. That why they charge for them.

Obviously the database of trusted root certificates changes
from time to time, and I note one of the updates from MS
recently was for that, so if you don't use automatic updates
visit

http://update.microsoft.com

and update your software, assuming you use Microsoft, if you
have a mac, sacrifice a goat or whatever such people do and
if you are clever enough to use Linux you should be answering
questions not asking them.

But basically certificates provide two functions, encrypting
data passed between two machines which ensures its integrity
and prevents its interception and secondly establishing trust
in the identity of whoever you are exchanging data with.

If you have continued problems with your banks certificate
contact them. It might indicate the site is not really theirs
or they have screwed up.

--
Jim Watt
http://www.gibnet.com

In article <tdpsd3ts6cifvtfohrb7bt3u6hdl5pdb6l@4ax.com>,
Jim Watt <jimwatt@aol.no_way> wrote:
...
>If you chose to install a 'home made' certificate you are
>telling your computer that YOU trust that it is genuine.
...
>With a paid certificate issued by a Certificate Authority
>(CA), say Verisign you do not have to tell your machine to
>trust them because it relies on them not to issue certificates
>to crooks or the wrong people. That why they charge for them.
...

No, they charge for them to make a profit. They have shown by their
behavior that they will happily assign certificates to unauthorized
people.

...
>But basically certificates provide two functions, encrypting
>data passed between two machines which ensures its integrity
>and prevents its interception and secondly establishing trust
>in the identity of whoever you are exchanging data with.

No, certficates only provide one function: protecting data while in
transit.

While they have the theoretical ability to do the second, in practice,
they don't. So, don't trust a certificate unless _you_ - and not a
third party - have followed the trust chain yourself.

Craig

On Wed, 05 Sep 2007 12:47:05 -0000, Craig A. Finseth
<news@finseth.com> wrote:

>No, they charge for them to make a profit.

surely not? That would make them capitalist
running dogs.

"The new social system has only just been
established and requires time for its
consolidation"

chairman Mao, the little red book P 27

Further reading

http://en.wikipedia.org/wiki/Certificate_authority
--
Jim Watt
http://www.gibnet.com

On Wed, 05 Sep 2007 12:47:05 -0000, Craig A. Finseth wrote:

>>But basically certificates provide two functions, encrypting
>>data passed between two machines which ensures its integrity
>>and prevents its interception and secondly establishing trust
>>in the identity of whoever you are exchanging data with.
>
> No, certficates only provide one function: protecting data while in
> transit.
>
> While they have the theoretical ability to do the second, in practice,
> they don't. So, don't trust a certificate unless _you_ - and not a
> third party - have followed the trust chain yourself.
>
> Craig

"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

Ari <arisilverstein@yahoo.com> wrote in news:1l87al1ipfczl
$.ba11mgcc80aq.dlg@40tude.net:

....
>> While they have the theoretical ability to do the second, in practice,
>> they don't. So, don't trust a certificate unless _you_ - and not a
>> third party - have followed the trust chain yourself.


I have often wondered why hackers (using trojans, etc.) or even, say,
coworkers in an office, don't install a bogus certificate (or better, a
bogus certificate authority) into other folks' browsers.

Regards,

nemo_outis wrote:

> Ari <arisilverstein@yahoo.com> wrote in news:1l87al1ipfczl
> $.ba11mgcc80aq.dlg@40tude.net:
>
> ...
>>> While they have the theoretical ability to do the second, in practice,
>>> they don't. So, don't trust a certificate unless _you_ - and not a
>>> third party - have followed the trust chain yourself.
>
>
> I have often wondered why hackers (using trojans, etc.) or even, say,
> coworkers in an office, don't install a bogus certificate (or better, a
> bogus certificate authority) into other folks' browsers.


Because this would leave traces? However, they do exactly this thing in
memory. Just create an invalid signature, but change the program's code to
make the verification pass.

"Sebastian G." <seppi@seppig.de> wrote in
news:5lftvoF8353vU2@mid.dfncis.de:

>> I have often wondered why hackers (using trojans, etc.) or even, say,
>> coworkers in an office, don't install a bogus certificate (or better,
>> a bogus certificate authority) into other folks' browsers.
>
>
> Because this would leave traces? However, they do exactly this thing
> in memory. Just create an invalid signature, but change the program's
> code to make the verification pass.


Sebastian, you have a positive gift for making something simple into
something difficult and complicated.

Installing a bogus certificate (or certificate authority) into a browser
is quick and simple - your grandmother could do it. No programming
knowledge, no hacking and reverse engineering expertise, no tedious
recoding required. Nor is making the certificate beforehand much bother
- any number of canned programs will do it.

As for traces, 99.9% of folks have no idea of what certificates or
authorities should be in their browsers (and, of course, a recoded
browser also leaves traces). Most haven't a clue about certificates at
all. But even if, by some fluke, someone did, so what if he finds a
bogus cerificate authority? That would tell him only what he already
would know by that time - that he'd been scammed.

Regards,

nemo_outis wrote:


> Sebastian, you have a positive gift for making something simple into
> something difficult and complicated.
>
> Installing a bogus certificate (or certificate authority) into a browser
> is quick and simple - your grandmother could do it.


And leaves traces. Which is bad.

> As for traces, 99.9% of folks have no idea of what certificates or
> authorities should be in their browsers


But a forensic expert at the police does.

> (and, of course, a recoded browser also leaves traces).


Not if you do it solely in memory.

> But even if, by some fluke, someone did, so what if he finds a
> bogus cerificate authority? That would tell him only what he already
> would know by that time - that he'd been scammed.

Depends on whether you want a long-term compromise. Phishing is only one
possible way of exploitation.

"Sebastian G." <seppi@seppig.de> wrote in
news:5lgcp6F85onuU1@mid.dfncis.de:

> Not if you do it solely in memory.


And not if you solely use genetically-altered trained baboons with head-
mounted lasers :-)

Why do you have this penchant for grossly overengineering everything,
Sebastian?

Regards,

nemo_outis wrote:

> "Sebastian G." <seppi@seppig.de> wrote in
> news:5lgcp6F85onuU1@mid.dfncis.de:
>
>> Not if you do it solely in memory.
>
>
> And not if you solely use genetically-altered trained baboons with head-
> mounted lasers :-)
>
> Why do you have this penchant for grossly overengineering everything,
> Sebastian?


We haven't talked about the intended impact so far. If you just want to
phish a home user, you can go even simpler by actually running an unmodified
connection and just manipulating the screen output. But if you're
compromising a corporate VPN with a well-understood PKI, you'd better not
touch the certificate store.

"Sebastian G." <seppi@seppig.de> wrote in
news:5lhhniF811v4U1@mid.dfncis.de:

>> Why do you have this penchant for grossly overengineering everything,
>> Sebastian?
>
>
> We haven't talked about the intended impact so far. If you just want
> to phish a home user, you can go even simpler by actually running an
> unmodified connection and just manipulating the screen output. But if
> you're compromising a corporate VPN with a well-understood PKI, you'd
> better not touch the certificate store.


Compromising a corporate VPN with a PKI? Where the **** do you get these
bizarre and contrived conditions to justify your bizarre and contrived
"solutions"?

No, Sebastian, we're only talking about the perfectly ordinary, perfectly
vanilla certificate store that is part of every browser on this planet.
And planting an additiona certificate or authority in one is child's play.

Regards,