Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
Riateche2011-09-10 15:50:36
Digital certificates
Riateche, 2011-09-10 15:50:36

How to improve https security when using self-signed ssl certificate?

I have https configured on my site using a self-signed wildcard certificate (you can buy a good wildcard certificate only for a lot of money). User browsers, of course, swear, but this is not a very big problem for me. As far as I understand, when using a self-signed certificate, one vulnerability remains - the possibility that man in the middle redirects the user to his site. Its certificate will also be untrusted, but the user may not notice this, since the browser will swear in the same way as mine. How can the user be protected in this situation?
I have two ideas so far.
1. The user adds my certificate to the trusted ones, and in the future his browser does not swear at him, but only swears at unfamiliar certificates. Do all browsers have an easy way to add a certificate to trusted ones? Does it reduce security? As far as I understand, if I add a certificate as a root, I can then issue myself a certificate at least on google.com, i.e. it is not safe for users. This possibility must be avoided.
Where can I upload a certificate for download so that it can be avoided? It is necessary that there be https and it would be difficult to change the file there.
2. I post a sha-1 fingerprint that the user can use to verify the authenticity of the certificate. Is it possible to do so at all? Is it reasonable?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
O
okazymyrov, 2011-09-10
@okazymyrov

>> Where can I upload the certificate for download so that it can be avoided? It is necessary that there be https and it would be difficult to change the file there.
In Chrom-e, you can view the certificate and export it. I think that it will be enough to write a manual on how to download it to your computer and add it to the trusted ones.

Report
M
Masterkey, 2011-09-10
@Masterkey

We read habra!
habrahabr.ru/blogs/sysadm/127643/
1. Yes, it reduces security - he does not know exactly whose certificate he added.
In the browser four, yes, everything is fast
. Browsers do not have such an opportunity to add your certificate as a root.
There is no such possibility
2. The certificate already has all these fingerprints and besides sha-1 is compromised.
It's possible, but it's stupid

Report
X
xaker1, 2011-09-10
@xaker1

1) It is possible, but not always trivial.
Safari, Chrom (like the latest versions of Firefox too) use IE storage. Other browsers have their own. In some browsers, it is enough to tick the notification box, in some it is more difficult.
In general, there is a way out - and it was named in the previous topic. This is StartSSL, which I wrote about.

Similar questions
Z
Zempik2016-11-13 19:48:40
How is ssl without the green line? 3Reply
J
Junior0072016-11-15 15:59:50
How to connect via HTTPS to Yandex.ru via OpenSSL? 0Reply
X
XenK2016-11-21 04:53:07
Cloudflare website not available everywhere? 1Reply
A
Andrey2016-11-23 07:20:31
How to disable https for specific URLs? 0Reply
L
llexus2016-11-24 22:09:39
How to get Public Key of certificate identical to openssl output? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question