1. I don't understand what you are asking here. 2. You need certificates for authentication. Security experts will argue that without authentication you cannot know who you are talking to, so there's little point in using SSL at all. However, SSL does not require authentication and provides the DH anonymous ciphersuites for unauthenticated connections. These ciphersuites are also implemented in the JSSE, and can be identified by the string 'DH_anon' in the SunJSSE provider documentation
Originally posted by satish bodas: 1) If we use SSL we try and make the communication secure - how is it determined that the communication is secure
2) Is it always necessary to have certificates when we use SSL ?
If you use SSL, your communications is pretty secure. Its not absolutely secure. SSL is really only for HTTP, the more general term is TLS. Same idea, algorithms, etc.
Most folks simply use SSL and declare that its suitable.
It is always necessary to have at least one certificate when using SSL. You can make it yourself, you do not need to pay big bucks to get one.
There are many discussions of the proper value of paying big bucks for SSL certs. In most cases, you are paying a lot of money for a number. Most cert vendors do little or nothing to verify identity, which is all that an SSL cert can address in the best case. So if they do little or nothing to verify identity, its hard to argue that its worth a lot of money.
Joined: Jun 19, 2008
Thanks Greg and Pat for your replies .
what I meant by secure regarding ssl ( corrected as tls ! ) is what is it that guarantees its "secureness" ?
To postulate :: If I were a hacker and lets say someone was posting his login credentials on a form ::
1 >Plain http :: How do I get to "sniff" this data ? Is it at all possible I want to know more as an education rather than any ill intent
2 >same as 1 but scenario with https
3 >same again + https + certificate
Regarding certificates - so all that the certificating authority does is give out an encoding / decoding mechanism ? ( I have my beginner's questions regarding certificates ... which I will ask in a separate thread )
So all that these authorities are supposed to "authenticate" is to verify that I am really who I proclaim to be is that it ?
================================================================ I start a B to C business and want end users to buy stuff over the internet To keep it safe decide to use https with certificates ( this is just a simple abstraction .... sure there will be much more involved )
Now I have two choices :: 1 >buy a certificate from a certificating authority ( thawte , verisign etc ) 2 >Create my own certificate using jdk
Use this certificate on web server
Any client accessing the site is asked to either "accept / decline / " certificate .
From my personla experience ( and you can call me a fool ! ) I hardly bother reading any of the popo ups or ads . If I am online and want to do a transaction - I just hit the website - if I get such certificate popup - simply accept and moce on
IN such scenarios ::
1 >How does someone else fake my certificate 2 >Even if we have a valid / false certificate - for people like me who blindly accept - it doesnt matter does it
Last question - for some sites like citibank on https - when I login I do not see this popup ?
is it because these certificates are by default accepted by bropwser ?
so if I purchase a certificate from thawte / verisign - than my site also wouldnt show this popup ?
long post and I agree it may not be very clear but as thoughts came to mind I put them down .
1 >Plain http :: How do I get to "sniff" this data ? Is it at all possible
2 >same as 1 but scenario with https
3 >same again + https + certificate
#1 - It's possible if you have access to the data flowing through the network, because HTTP sends everything in clear text. Getting access to the network is rather easy if a wireless network is used with weak or non-existing security.
#2 and #3 - Those are the same (HTTPS always involves a certificate). This is generally considered to be impossible for the average attacker, since all data is encrypted. It might be feasible if weak encryption is used (40 bit), but these days always every certificate uses 128 bit, which pushes a successful attack into the realm of 3-letter organizations (like the NSA).
The CA authorities do not hand out an encoding/decoding mechanism, they hand out a certificate that authenticates you, and which includes your public key that can be used to send you encrypted data only you can decrypt. (As an aside, make sure you understand the difference between an encoding and an encryption).
Browser come with a lot of certificates preinstalled, which you'll find buried somewhere deep inside the options/preferences. Those include the certificates of Verisign and Thawte, so if some other site presents a certificate that is created by one of these companies, it is accepted by default. But if some site presents a certificate signed by an unknown (and thus untrusted) authority (maybe created by you using keytool), then the user is asked to confirm whether to trust it. And if you intend to leave personal or otherwise important information on that site, I'd advise to carefully consider whether to trust that site.
Anybody can create a certificate claiming to be "satish bodas". But only if it came from a trusted source (like the companies mentioned above) would there be reason to think that it is indeed associated with you. If you inspect Citibank's certificate, you'll see that it comes from Verisign.
(As an aside, make sure you understand the difference between an encoding and an encryption).
spot on - that should have been encryption / decryption rather than encode /decode . Thank you.
I am still confused with a few points though To quote Greg in earlier post ::
However, SSL does not require authentication and provides the DH anonymous ciphersuites for unauthenticated connections. These ciphersuites are also implemented in the JSSE, and can be identified by the string 'DH_anon' in the SunJSSE provider documentation
Question A :: So my understanding is - SSL can also be used without a "authenticating" certificate ? This may be rarely used - but if so desired can be used without a certificate ?
To further quote ::
#2 and #3 - Those are the same (HTTPS always involves a certificate). ...
So Ulf believe you are referring to the most used and predominant usage of https ( with certificates ) ?
Question B :: who is responsible for the encryption ? ( when we use ssl with certificates ) Is the encryption an inherent part of https or is it the certificate that specifies the encryption /decryption algorithm
but these days always every certificate uses 128 bit.....
From this statement of yours - i guess its the certificate that decides the algorithm for encryption / decryption
Question C :: So if I create a certificate using keytool can I guarantee that it uses 128 bit ? and if so than why should I spend a lot of money to buy a certificate from these companies . If my certificate is as secure as theirs ( agreed their algorithms will be more complex ) - but as Ulf specified if keytool gives me 128 bit than thats a tought nut to crack right ?
Question D :: Continuation of question C So the value addition of a certifying authority is that they are "trusted" I recently had read a KPMG pdf downloaded article regarding how certifying authorities are now also issuing certificates minus the authentication ! ( agreed - end users customers may not trust a certificate posing as "satish bodas" not signed by Thawte / verisign etc )
Question E :: ( final question honest ! ) where can I get a good read / understanding about the public / private key ?
Thank you Greg , Pat and Ulf for enhancing my knowledge .
Joined: Mar 22, 2005
who is responsible for the encryption ?
The certificate and the key it contains determine which algorithms are used. Of course, SSL doesn't support just any algorithm, just certain predetermined ones. Read up on SSL and PKI for more details.
So if I create a certificate using keytool can I guarantee that it uses 128 bit ?
Yes, keytool allows you to specify the key size.
and if so than why should I spend a lot of money to buy a certificate from these companies.
Originally posted by satish bodas: if so than why should I spend a lot of money to buy a certificate from these companies. If my certificate is as secure as theirs ( agreed their algorithms will be more complex )
So the value addition of a certifying authority is that they are "trusted"
Not quite. The cert your buy and the cert your make yourself use the same algorithms and can have the same key length. Its actually easier to make one with longer keys.
The algorithms are not more complex.
The "value" of using a commercial CA is that people "trust" them. Not that they actually deserve to be trusted. Many commercial CAs do nothing to verify that the requesting person is real, or owns the server. At least not for their relatively inexpensive certs. Some of them, when you spend serious money, do some token validation.
I could trivially request that Verisign issue me a cert saying that I'm "satish bodas" and I expect that I can get such as cert quickly and cheaply.
My guess is that I'm really not Satish, but you can't tell that from Verisign.
Most of this cert stuff was invented before the Internet became commercial. There was a lot of concern that naive folks would go to "sears.com" and buy stuff, not knowing that Sears.com was owned by satish bodas, and he's a crook. In practice, this has proven to be not a concern, as sears, walmart, amazon, etc. use trademarks and other legal approaches to protect their name and to establish a reputation.
From a practical standpoint, you gain next to nothing spending big bucks with Verisign, etc. But this is not about security, its as much about marketing and warm and fuzzy feelings.
Joined: Jun 19, 2008
thanks Pat , Ulf and Greg for clearing my concepts.
This is good! . There is so much to get from this post, had a real interesting time on this thread.To get a SSL certificate from a trusted company is quite useful as if you dont do this, there is not any specific reason to use it for the communication security.Anything that ensures you of the security standards is far more better if you have to get trust from your visitors.SSL certificates are the standards set by IETF for communication security. It encrypts the data with a private key and ensures the reliability of the flow of information in an encrypted form with private key being with the recipient.Well satish, people going with e-commerce sites and requiring the customers to submit personal details need to maintain e-commerce security to be a trusted service provider.