Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
alexdora2016-06-12 20:22:09
Information Security
alexdora, 2016-06-12 20:22:09

Are your own SSL certificates more secure than purchased ones?

I figured out and fought with MITM ( https://toster.ru/q/327584) and briefly retelling the whole topic: As a result, the guys who forged "almost all" well-known certificate authorities pulled out data in 10-15 minutes, wrapping traffic in the VPN connection.
About HTTPS site security is generally ridiculous, because even I, a stupid person who knows 3 linux commands, managed to put MITMPROXY into an easy one and pull out almost all the data by wrapping traffic from the device to the port. Of course, the TLS wall turned out to be unbreakable for me, which was wired into the application.
The question is the following, I have projects where important data and certificates are purchased. After brainstorming with MITM - I thought about it, since the projects are not public, is it easier to drive certificates for each device with its own Root SC?
It will just be stupidly safer and free, because it is unlikely that someone will find their SC and try to fake it. I do not suffer from a panic attack on the topic: Everyone is listening to us, they are following me. It’s just that certificates are running out in a month and an extension is needed, and there are about 35 of them. You yourself can calculate how much money for this ... and everything will go from my pocket. Initially, when I bought it, I did not know about such attacks and actually thought that it was safer to buy. You can hear comments on this topic, experts, well, or links to read.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
C
CityCat4, 2016-06-13
@alexdora

A certificate is not a magic button that makes everything safe, but simply a tool. Well, let's say a knife. You can make it yourself, or you can buy from a well-known company. But he will not cease to be just a knife, and if you do not know how to use it, there will be no sense from him. Your own CA is free. And, as a rule, everyone comes to this when the number of certificates grows, and the number of correspondents is limited. They just put your root certificate - and voila.

Report
S
Sanes, 2016-06-12
@Sanes

Shall we do an experiment? I will enter the password, and you will try to intercept it. I have big doubts about your success.

Report
Y
Yuri Chudnovsky, 2016-06-13
@Frankenstine

As a result, the guys who forged "almost all" well-known certificate authorities

Nonsense. You didn't read what you did - you yourself installed the left root certificate on the client from the mitm.it page, which allowed the MItM attack. Without this, nothing would have happened.
Come on, install MITMPROXY for me .

Report
A
Andrew, 2016-06-12
@OLS

To complete the picture, look also towards KEY PINNING

Similar questions
O
Olya Minzyuk2016-04-11 13:24:36
Is there an analytics on the risks of confidential information? 1Reply
A
Alexey Tutubalin2018-09-07 09:17:11
How to conduct a local network security audit? 6Reply
I
ingenerdsm2016-04-12 13:18:00
What threatens the lack of a security certificate on the server? 2Reply
H
hckn2018-09-11 17:03:48
What session timeout is acceptable? 1Reply
Y
Yuriy Guzhankov2018-09-11 19:48:20
How to protect the service from a search engine ban? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question