Self-signed security certificates.. (oh, the evil)

[Andrew Thompson]

I found this on google
http://www.suitable.com/docs/signing.html

There is lots of stuff on Google, of varying quality.
Those pages tend towards the 'crap'.

<http://www.suitable.com/docs/signingoverview.html#CAs>
This states "Your last option is to create test
certificates[1]. These are free (good), but won't be
recognized unless you prepare your browser
(inconvenient, and perhaps unsecure). "

[1] For 'test' read 'self-signed'

Rubbish.

The end user is presented with a dialog asking them
if they want to aceppt the code. If they click 'yes',
it has full priviliges, End Of Story.

That same advice is echoed in the document to which
the first links.

The question is there any legal, moral reason why should not be able to
produce code signitures for own web sites?

Nobody has suggested otherwise until now.

...This makes me wonder if you really understand the nature
and purpose of these certificates. Nobody cares if you (or
I) want to produce 1000, or 10,000, self-signed certificates,
or any number of certificates verified by a CA (at phenomenal
cost).

The only issue would be if someone managed to find a way
to issue digital certificates that *claimed* to have been CA
verified, but were *not*. That would both ruin the perception
of security that the digital identities are supposed to ensure,
and be very bad for the CA from a business POV.

 

[Darren]

There is lots of stuff on Google, of varying quality.
Those pages tend towards the 'crap'.

I bow to your experience on this one.

<http://www.suitable.com/docs/signingoverview.html#CAs>
This states "Your last option is to create test
certificates[1]. These are free (good), but won't be
recognized unless you prepare your browser
(inconvenient, and perhaps unsecure). "

Especially if other people access the page that uses the applets signed with
them.

[1] For 'test' read 'self-signed'

Rubbish.

The end user is presented with a dialog asking them
if they want to aceppt the code. If they click 'yes',
it has full priviliges, End Of Story.

again not precicely what I'm after.

That same advice is echoed in the document to which
the first links.


Nobody has suggested otherwise until now.

..This makes me wonder if you really understand the nature
and purpose of these certificates. In truth, no
Nobody cares if you (or
I) want to produce 1000, or 10,000, self-signed certificates,
or any number of certificates verified by a CA (at phenomenal
cost).

The only issue would be if someone managed to find a way
to issue digital certificates that *claimed* to have been CA
verified, but were *not*. That would both ruin the perception
of security that the digital identities are supposed to ensure,
and be very bad for the CA from a business POV.

Well I don't care if they are CA certified. For my purposes ME certified
would do. Can a certificate tell a browser to look at a remote java policy
file (one on my site) rather than the browsers default for example.?

 

[Andrew Thompson]

again not precicely what I'm after.

Can you describe the experience you expect for the end user?
In terms of..
- user follows link.
- user sees page.
- dialog appears asking 'run privileged code?'
- user clicks...
(well - you need to tell me, in your own words)

[ I am beginning to doubt that what you want is possible,
but I am not yet *sure* what you want. ]

In truth, no

Have you tried installing any applets or projects that
are signed? Going through the process of downloading
a JWS app. may answer a lot of your questions.

Well I don't care if they are CA certified. For my purposes ME certified
would do. Can a certificate tell a browser ...

No certificate in existence can *tell* a browser to *do*
anything. It all comes down to *asking* the *user*.

Try to get that distinction clear, as it is fundamental
to understanding what will happen with code signatures
and permissions.

..to look at a remote java policy
file (one on my site) rather than the browsers default for example.?

What is it supposed to do once it 'looks' at that policy file?
Open the end user's machine to anything that is allowed in the
policy file on your site?

Even if JWS were set up that way, it would still be up
to the *end* *user* to say 'Yes - use the other policy file'.

It is *not* down to 'the browser' alone. If it were, I might
surf in to your site only to have my own browser load a (hidden)
applet that, 'picking up' your policy file, now has unrestricted
access to my PC. Not good.

Any which way you go, the user is asked for their permission.
That is both ..
- a good thing
- unavoidable.

 

[Roedy Green]

The end user is presented with a dialog asking them
if they want to aceppt the code. If they click 'yes',
it has full priviliges, End Of Story.

Not quite true. The dialog for a self-signed cert tends to discourage
the user from hitting grant more than one from Thawte.

To get your cert accepted on equal footing, you have to import it as a
trusted authority.

 

[Roedy Green]

No certificate in existence can *tell* a browser to *do*
anything. It all comes down to *asking* the *user*.

But a policy file can.

 

[Andrew Thompson]

But a policy file can.

Thank you for adding that piece of information that will
probably assist in further confusing the OP.

You cannot *install* a policy file off a web site
automatically therefore it is utterly irrelevant
to this thread.

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"Power and priviledge cannot move a people, who know where they stand, and
stand in the law."
Paul Kelly 'From Little Things, Big Things Grow'

 

[Roedy Green]

You cannot *install* a policy file off a web site
automatically therefore it is utterly irrelevant
to this thread.

You can with ONE grant which then can completely change the rules
subsequently.

Think about how you might legitimately go about installing policy
files, installing self-signed certs as official etc.

 

[Chris Berg]

Heureka!

In IE/MS-VM and old Netscape id doesn't load, so I simply imagined
that would be the situation forever, But I now see that it is
different with the SUN plugin. I just didn't try it until now.

Happiness prevails!.

 

[Chris Berg]

On Sun, 11 Sep 2005 08:34:14 GMT, Roedy Green

I'm tempted to try a self-signed certificate after all this talk, but
is not so that the browser won't allow you to 'Always grant'
permission, that is, install the cert and never ask again? That would
be my good reason to stick to a purcased one.

 

[Andrew Thompson]

Heureka!

In IE/MS-VM and old Netscape id doesn't load, so I simply imagined
that would be the situation forever, But I now see that it is
different with the SUN plugin. I just didn't try it until now.

An extra tip. Old NN might throw a different flavor of
Exception*, if you need to support it, run your code in
it to check what it throws.

* I am pretty sure the code will still load if you can
catch the Exception it throws.

Happiness prevails!.

Cool.

 

[Andrew Thompson]

I'm tempted to try a self-signed certificate after all this talk, but
is not so that the browser won't allow you to 'Always grant'
permission,

Is that a question, Chris?

Try my PhySci project*. I just (retried) the download link
this moment and it opened without word or whisper of 'Do you Accept'?
Self signed certificate - fully privileged code.

* <http://www.physci.org/install/download.jsp>

Seems from this, that if you click 'Always Accept' when installing
from a self-signed certificate, it works jsut as well.

[ Oh, ..and I now have complete control of your machine. ;-) ]

 

[Roedy Green]

Seems from this, that if you click 'Always Accept' when installing
from a self-signed certificate, it works jsut as well.

Over time Sun has been upping the legitimacy of self-signed certs.

I think originally they saw them for use only in testing while you
waited for your real one to arrive.

 

[Darren]

again not precicely what I'm after.

Can you describe the experience you expect for the end user?
In terms of..
- user follows link.
- user sees page.
- dialog appears asking 'run privileged code?'
- user clicks...
(well - you need to tell me, in your own words)

[ I am beginning to doubt that what you want is possible,
but I am not yet *sure* what you want. ]

Ok now i have my own server which i own. I have a members only web site
which i occasionally bring down for maintenance. My public non members site
is hosted on my isp's free web space in is up 24/7 i want a little link in
the corner that says "member's area" now theis should only be visible,
clickable whatever when the members are (my own private box) is up

Have you tried installing any applets or projects that
are signed? Going through the process of downloading
a JWS app. may answer a lot of your questions.

Well some sites install flash player and i have aquired a yahoo toobar in IE
but other than that, no. Can you give me some examples?

No certificate in existence can *tell* a browser to *do*
anything. It all comes down to *asking* the *user*.

Try to get that distinction clear, as it is fundamental
to understanding what will happen with code signatures
and permissions.

Fair enough, well then can an appllet get the browser (with the users
permission) to temporarily set it's policy file to the one on my members
only box for the duration that the user is on either my public area or my
members area?

What is it supposed to do once it 'looks' at that policy file?
Open the end user's machine to anything that is allowed in the
policy file on your site?

No. Just open a socket connection to my mebers only site on port and check
if it is up by accessing a dummy page and returns a result on whether the
site is up or down.

Even if JWS were set up that way, it would still be up
to the *end* *user* to say 'Yes - use the other policy file'.

I'm not trying to avoid asking the user. #If that's what must be then that's
what must be but if the user says yes then what i want is explained above.
Please note, in no way am I trying to get acess to the end users hard drive.

It is *not* down to 'the browser' alone. If it were, I might
surf in to your site only to have my own browser load a (hidden)
applet that, 'picking up' your policy file, now has unrestricted
access to my PC. Not good.

Again fair enough but the applet will be located on my public site and not
my members only site so security restrictions apply. If it were located on
my members only site it would not be an issue but as you can see, the point
is that the applet is not on my members only site.

 

[Darren]

Thank you for adding that piece of information that will
probably assist in further confusing the OP.

Actually, he didin't but thak you for your concern.

 

[Darren]

You can with ONE grant which then can completely change the rules
subsequently.

Well that is one method i see for solving my problem now bear in mind that i
know very little of java security and policies other than what you good
people have told me and what i have found on google but if either i can get
a web client to temorarily use my own policy file where it can get
permission to open a socket to my web site and read from it or find another
way to do like a self signed sertificate it then that would be cool.

 

[Andrew Thompson]

...
Ok now i have my own server which i own. ..

I was not quite clear enough. But..

Well some sites install flash player and i have aquired a yahoo toobar in IE
but other than that, no. Can you give me some examples..

I'm sure this was mentioned on another thread in this group, but..
<http://www.physci.org/install/download.jsp>
Try that. See see how you go.

Also, Roedy's WassUp applet at mindprod.

Roedy's applet is signed using a CA verified certificate,
mine is a self-signed certificate.

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"I don't wanna' be like other people are. Don't wanna' own a key, don't
wanna' wash my car.."
New Order 'Turn My Way'

 

[Chris Berg]

An extra tip. Old NN might throw a different flavor of
Exception*, if you need to support it, run your code in
it to check what it throws.

Yes, I remember clearly. It was a p... in the a.. ! Absolutely no way
I will continue to support old Netscape!!! There is propably less than
1% of Win users who runs Netscape's old VM today. Well, plus maybe
some Apple OS9 users?

 

[Andrew Thompson]

Yes, I remember clearly. It was a p... in the a.. ! Absolutely no way
I will continue to support old Netscape!!!

(chuckle) I reached that point some time ago..

X-Browser/X-plat compatibility is one thing (OK 2), but
largely, users of *old* *browsers* can either upgrade
or take their chances.

(Fortunately most of my technically oriented users have
up-to-date browsers.)

 

[Andrew Thompson]

...
Happiness prevails!.

Oh, and FTR, you quoted Roedy there, but 'attributed' it to me.

 

[David Alex Lamb]

Let's up the ante here by assuming you are a terrorist organisation
and the combined resources of all branches of the US government are
out to thwart you.

Not only informative, but amusing as well.