Self-signed security certificates.. (oh, the evil)

[Andrew Thompson]

There are a number of ways to get a security certificate that
will (if accepted by the end user) allow applets and other
projects to gain extended privileges.

However, signing an applet or application can be a daunting
task, especially in regards to acquiring a valid security
certificate. As a result of this, a lot of developers are
discouraged from taking that route.

The developer might be prepared to pay for a fully verified
certificate, but they generally would want to see the process
work before they lay down $, right?

Some of the ways of getting a certificate *for* *testing*
purposes are expensive, while others are quite obtuse
or difficult.

Are there any IDE's that will do this stuff* for you?
* Create a self signed certificate and sign a jar with it.

Is my assumption that 'people want to see it work
before paying money' valid?

Most specifically, can anybody here attest that they
*paid* for a code signing certificate before they had
seen it work for a project?

[ This is all leading to "Does it make sense to issue a
'self-signed' certificate for all to use, in the name of
'!!Danger!! - Developer Only!'..."? ]

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"Power and priviledge cannot move a people, who know where they stand, and
stand in the law."
Paul Kelly 'From Little Things, Big Things Grow'

 

[Roedy Green]

Are there any IDE's that will do this stuff* for you?
* Create a self signed certificate and sign a jar with it.

Once you see it done and you can it in a bat file, it is so simple you
wonder what all the fuss was about.

One the cert exists you jar and sign in ant like this:

<!-- J A R -->
<!-- Make genjar known to ant -->
<!-- See http://mindprod.com/jgloss/genjar.html for details -->
<taskdef resource="genjar.properties" />

<target name="jar" depends="compile">
<genjar jarfile="${jar.file}">
<!-- include main class and all its dependencies -->
<class name="${main.class}" />
<!-- define the manifest -->
<manifest>
<attribute name="Main-Class" value="${main.class}" />
</manifest>
</genjar>
<!-- S I G N -->
<!-- get password from set jarsignerpassword=sesame -->
<property environment="env" />
<signjar jar="${jar.file}"
alias="mindprodcert2005dsa" storepass="${env.jarsignerpassword}"/>
</target>

to generate your cert:

REM DSA for JDK 1.2 compatibility, private-public pair.
REM However RSA is what most modern certs use.
rem see http://docs.sun.com/source/816-5539-10/app_dn.htm for
construction of distinguished name

REM generate private/public key pair
keytool -genkey -storepass %jarsignerpassword -keyalg DSA -alias
mindprodcert2005dsa -dname "CN=mindprod.com, OU=Java Code, O=Canadian
Mind Products, L=Victoria, ST=British Columbia, C=CA,
[email protected] DC=mindprod, DC=com" -validity 999

REM generate the self-signed certificate containing public key
keytool -selfcert -storepass %jarsignerpassword -alias
mindprodcert2005dsa -validity 999

REM export the self-signed certificate in x.509 printable format,
public key only.
keytool -export -storepass %jarsignerpassword -alias
mindprodcert2005dsa -rfc -file mindprodcert2005dsa.cer


for details of cert generation see
http://mindprod.com/jgloss/keytool.html

 

[Roedy Green]

Most specifically, can anybody here attest that they
*paid* for a code signing certificate before they had
seen it work for a project?

Think "What is a certificate from Thawte for?". They are helping
someone determine if a program they found on the net was indeed truly
written by Canadian Mind Products, all without checking back to the
CMP website.

Thawte vouches : yes it was him. They are also indirectly vouching
that Roedy Green and Canadian Mind Products really exist . CMP is a
real company. They are in the phone book. Roedy has a passport. They
are also vouching that CMP is flush enough to part with $400 US a year
for the cert, no little fly by night.

Let us say I am too cheap or poor to buy a cert and use a self signed
one. Well, it is obvious that whomever created the cert is the
person who created the CMP website. People trust whomever runs that
website just as much as they trust the company Canadian Mind Products.

So there really should not be an issue of trusting the identity of
that cert ON MY WEBSITE. Now elsewhere, there is nothing to stop
someone form taking one of my downloads, screwing with the code, and
resigning with a fake certificate using my name.

The problem is people don't realize this and are overly afraid of my
phony cert on my website.

I have been creating ASP PAD XML file descriptors for all my code
which invites people to download and redistribute my downloads.
Ideally I would like to sign those with a real certificate.

 

[Andrew Thompson]

CMP is a real company.

Do you mean that CMP is actually a *registered* comany?
It had never occured to me. I understood that registering
a company was a relatively expensive business, in just
about any country.

..They are in the phone book.

[ I would prefer not to be, but could not be bothered
paying the extra to have the phone company suppress
the number! ]

..Roedy has a passport.

...I am *trying* to get one at the moment! ;-)

Let us say I am too cheap or poor to buy a cert and use a self signed
one. Well, it is obvious that whomever created the cert is the
person who created the CMP website. People trust whomever runs that
website just as much as they trust the company Canadian Mind Products.

So there really should not be an issue of trusting the identity of
that cert ON MY WEBSITE.

That is probably the only reason I am prepared to use a self-signed
certificate. My software comes from my site only, so if the user trusts
me, they should be willing to trust a self-signed certificate coming
directly off my site - if they don't trust me, the rest is moot.

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"When you believe in things that you don't understand, you suffer.
Superstition ain't the way"
Stevie Wonder 'Superstitious'

 

[Andrew Thompson]

Once you see it done ..

Thanks Roedy. That looks (at a glance) like the answer
to my question. A couple of bat files and the Ant task,
would be the way to go.

Would you (consider doing)/(have done) a page devoted to it?

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"He thinks he can run, it's a matter of pride. But he keeps coming back,
like a cork on the tide."
Paul Kelly 'Deeper Water'

 

[Roedy Green]

Would you (consider doing)/(have done) a page devoted to it?

The cert part is already done. ANT is on my todo list.

 

[Roedy Green]

Do you mean that CMP is actually a *registered* comany?
It had never occured to me. I understood that registering
a company was a relatively expensive business, in just
about any country.

I am registered in that I have DUNS number and the Canadian equivalent
of the IRS knows about it. I am not incorporated. That means all
debts my company incurs are my personal debts. I can't just fold the
company if something goes wrong.

There is almost no paperwork at all to start a company in Canada, only
to incorporate.

 

[Roedy Green]

That is probably the only reason I am prepared to use a self-signed
certificate. My software comes from my site only, so if the user trusts
me, they should be willing to trust a self-signed certificate coming
directly off my site - if they don't trust me, the rest is moot.

The problem is people don't understand certs. But then again I have
people afraid of unsigned Applets. There was even a twit afraid to
look at a totally vanilla html page on my site.

It is primarily a matter of familiarity not actual risk.

 

[Andrew Thompson]

I am registered in that I have DUNS number and the Canadian equivalent
of the IRS knows about it. I am not incorporated. That means all
debts my company incurs are my personal debts. I can't just fold the
company if something goes wrong.

There is almost no paperwork at all to start a company in Canada, only
to incorporate.

Oh right, in Australia you can ..
- trade under your own name with no paperwork (barring Tax)
- a 'registered business name', with a small amount of
paperwork and a nominal yearly fee, or a *
- company for a stupendous amount of paperwork and *enormous* fees.

I would say that the 'registered business name' is the
closest Aus. equivalent to what you are describing.

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"Power and priviledge cannot move a people, who know where they stand, and
stand in the law."
Paul Kelly 'From Little Things, Big Things Grow'

 

[Andrew Thompson]

The problem is people don't understand certs. But then again I have
people afraid of unsigned Applets.

Some nong wrote to me imploring me to 'stop using Flash'(?!?).
Since I use no Flash, I could not even be bothered replying...

There was even a twit afraid to
look at a totally vanilla html page on my site.

...but that takes the cake!

Did you manage to help that poor sod?

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"If no one out there understands, start your own revolution and cut out the
middle man."
Billy Bragg 'Waiting For The Great Leap Forward'

 

[Roedy Green]

..but that takes the cake!

Did you manage to help that poor sod?

I suggested he look at it a library. He was convinced somehow I would
insert a virus into his computer.

 

[Chris Berg]

On Sat, 10 Sep 2005 01:53:20 GMT, Andrew Thompson

.....

Is my assumption that 'people want to see it work
before paying money' valid?

......

I have signed applet for many years now (6 years, i guess). I have
used certs from Thawte and have been satisfied with their service - I
even got some free technical assistance once.

It takes some work to figure out exactly how to sign an applet - I've
done it both for MS .cab type applets and for SUN .jar type.
Completely different stories. But Roedy has a point: as soon as you
get it right, you create a .bat file and forget about the details.
That is, until you renew the cert, which you have to do once a year!!
Then for some reason your .bat file doesn't work anymore because you
installed a new key or a new VM. So, you have to adjust the .bat file
which is not so easy as you have completely forgotten how it worked a
year ago.

Buy the cert, you WILL be able to use it. In Java2, it has become much
easier, as you no longer have to write special code to ask for
privileges, which you had to do in IE/MS-VM and in Netscape. That was
REALLY a nuissance.

By the way, I always found that applet code-signing has one major
weakness: If the user doesn't acknowledge the security dialog (and you
really can't blame him, with all the malicious code that websites
these days try to persuade you to run), then the browser simply
rejects the applet. I cannot understand why this is so. Why can't the
browser just run the applet in the sandbox with normal applet
privileges?. Every time the code does 'illegal' things, a
SecurityException will occur, and your code could react, perhaps
telling the user why it cannot save data on disk or whatever.

Chris

 

[Andrew Thompson]

On Sat, 10 Sep 2005 01:53:20 GMT, Andrew Thompson

....

Is my assumption that 'people want to see it work
before paying money' valid?

.....

I have signed applet for many years now (6 years, i guess).
[1]

By the way, I always found that applet code-signing has one major
weakness: If the user doesn't acknowledge the security dialog (and you
really can't blame him, with all the malicious code that websites
these days try to persuade you to run), then the browser simply
rejects the applet.

Roedy's WassUp applet can work just fine in both signed
and unsigned modes. I have seen it do so on a number
of occasions.

I cannot understand why this is so.

The only thing I can guess without an URL is that you are
doing it differently to Roedy, and I further guess (from
the fact that Roedy's works - whereas yours doesn't) wrong.

Try it for yourself, visit the URL and *refuse* permission.
<http://mindprod.com/applets/wassup.html>

So, got an SSCCE and URL that shows the problem?

[1] In all those words you do not seem to have answered the
basic question you quoted - would you mind?

 

[Roedy Green]

The only thing I can guess without an URL is that you are
doing it differently to Roedy, and I further guess (from
the fact that Roedy's works - whereas yours doesn't) wrong.

you have to catch the Security exceptions and do something else.

 

[Raymond DeCampo]

That is probably the only reason I am prepared to use a self-signed
certificate. My software comes from my site only, so if the user trusts
me, they should be willing to trust a self-signed certificate coming
directly off my site - if they don't trust me, the rest is moot.

The problem is not one of trusting you; it is trusting that there has
not been a "man in the middle" attack. By using a third party, the end
user is assured that the third party is confident that you actually
signed the code.

Ray

 

[Darren]

There are a number of ways to get a security certificate that
will (if accepted by the end user) allow applets and other
projects to gain extended privileges.

However, signing an applet or application can be a daunting
task, especially in regards to acquiring a valid security
certificate. As a result of this, a lot of developers are
discouraged from taking that route.

The developer might be prepared to pay for a fully verified
certificate, but they generally would want to see the process
work before they lay down $, right?

Some of the ways of getting a certificate *for* *testing*
purposes are expensive, while others are quite obtuse
or difficult.

Are there any IDE's that will do this stuff* for you?
* Create a self signed certificate and sign a jar with it.

Is my assumption that 'people want to see it work
before paying money' valid?

Most specifically, can anybody here attest that they
*paid* for a code signing certificate before they had
seen it work for a project?

[ This is all leading to "Does it make sense to issue a
'self-signed' certificate for all to use, in the name of
'!!Danger!! - Developer Only!'..."? ]

I found this on google
http://www.suitable.com/docs/signing.html
The question is there any legal, moral reason why should not be able to
produce code signitures for own web sites? After all my applet is not
accessing a users own harddrive in fact its only testing a socket connection
to my own website on port 80. Completely harmless.

 

[Roedy Green]

The problem is not one of trusting you; it is trusting that there has
not been a "man in the middle" attack.

By this you mean somebody interfering with the transmission from your
site to the end user in real time, which is much less likely than the
sort of attack of somebody downloading your code meddling with it,
then reposting it elsewhere.

The Thawte style cert will protect you from both. A self-signed cert
will protect you from neither.

The self signed cert does almost nothing but add a fancy checksum to
the download.

 

[Roedy Green]

The question is there any legal, moral reason why should not be able to
produce code signitures for own web sites? After all my applet is not
accessing a users own harddrive in fact its only testing a socket connection
to my own website on port 80. Completely harmless.

Let's up the ante here by assuming you are a terrorist organisation
and the combined resources of all branches of the US government are
out to thwart you.

The job of the government is to meddle with terrorist code to insert
spyware.

Let's say the terrorists are on a budget and decide to use a self
signed cert.

During the download, the government can rejar the app as it goes by
adding spy code, using their OWN self signed cert which they
conveniently include in the Jar, signing it "Terrists' R US" just like
the original.

How do the terrorists detect this? The jar seems perfectly normal.
Some one gets suspicious ands says, lets download the public key from
the cert to be sure.

The CIA is on the ball, and intercept the request and delivers the
public key of THEIR phony cert.

Now if the terrorists were very clever, they would phone and ask the
fingerprint of the cert and compare that. However the fingerprint
displaying program was long ago compromised in a supposed Windows
update.

Another band of terrorists would use a Thawte Cert. For the CIA to
pull the same stunt they would have to guess the private key of the
terrorist cert. Thawte does not know it.

To avoid the expense of code cracking, the CIA would insist that the
instructions for buying certs be complicated. Then when naive
terrorists came along to buy one, they could be easily duped into
revealing their private key as part of the install or key creation
procedures.

Clever terrorists would use one-time pad encryption, and would never
allow their crucial computers to be attached to the net. They would
use linux not windows so that they could check out all updates. They
would never trust certificates which are effectively under government
control.

 

[Darren]

Let's up the ante here by assuming you are a terrorist organisation
and the combined resources of all branches of the US government are
out to thwart you.

The job of the government is to meddle with terrorist code to insert
spyware.

Let's say the terrorists are on a budget and decide to use a self
signed cert.

During the download, the government can rejar the app as it goes by
adding spy code, using their OWN self signed cert which they
conveniently include in the Jar, signing it "Terrists' R US" just like
the original.

How do the terrorists detect this? The jar seems perfectly normal.
Some one gets suspicious ands says, lets download the public key from
the cert to be sure.

The CIA is on the ball, and intercept the request and delivers the
public key of THEIR phony cert.

Now if the terrorists were very clever, they would phone and ask the
fingerprint of the cert and compare that. However the fingerprint
displaying program was long ago compromised in a supposed Windows
update.

Another band of terrorists would use a Thawte Cert. For the CIA to
pull the same stunt they would have to guess the private key of the
terrorist cert. Thawte does not know it.

To avoid the expense of code cracking, the CIA would insist that the
instructions for buying certs be complicated. Then when naive
terrorists came along to buy one, they could be easily duped into
revealing their private key as part of the install or key creation
procedures.

Clever terrorists would use one-time pad encryption, and would never
allow their crucial computers to be attached to the net. They would
use linux not windows so that they could check out all updates. They
would never trust certificates which are effectively under government
control.

That's the extreme and fair enough but as there appears to be a way (less
i'm not reading this right) of producing a cert yourself then is there a
legal or moral reason why i shouldn't? Surely these things are encrypted
with a one way enryption etc, blah .

 

[Andrew Thompson]

you have to catch the Security exceptions and do something else.

I suspected it was something along those lines, but did not
have time to check. WassUp is a great little applet.

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"We are about to attempt a crash landing. Please extinguish all
cigarettes.."
Laurie Anderson 'From The Air'