Geek Answers Handbook

Self-Signed Certificates - Helping users know they need to add a root certificate authority to a trusted certificate store

I have a desktop product that uses an embedded web server that will use self-signed certificates.

Is there something I can post on a web page that detects that they have not added the root CA to their trusted list and display a link or DIV or something directing them to do this?

I think maybe DIV, which has CA installation instructions, and Javascript, which runs some test (trying to access something without internal warnings?), And hides the DIV if the test succeeds. Or something like that...

Any ideas from the brilliant SO community? :)

+4
source share
9 answers

Why would you want to do that? The bad idea is to train users indiscriminately to install CA root certificates only because they are told by the website. You undermine the whole chain of trust. The user responsible for security ignores your recommendations for installing a certificate and may conclude that you do not take security seriously because you did not bother to purchase a certificate from an existing CA.

Do you really need HTTPS? If so, you should probably bite the bullet and make a deal with the CA to make it easier for your customers to provide the correct CA certificate server certificates. If the web server is used only for local connections from the desktop application, you must either add the self-signed certificate to the trusted list as part of the installation process, or switch to HTTP instead.

+10
source

Assuming you know C # and you want to install the pfx file. Create an exe to be launched from the URL. Follow this url

+2
source

The only idea I have is to use frames and some javascript.

The first frame element will act as a watchdog waiting x time (javascript setTimeout) before showing your user ssl error message to a user with hyperlinks or instructions to download a self-signed certificate.

The second element of the frame tries to connect to https, and if it successfully resets the watchdog frame, so that it never fires. If this does not work (suppose the https cert check failed), the watchdog will then light up and be presented to the user.

Depending on your browser, you will most likely still see a security warning using the approach, but at least you can promote your own content without requiring users to run untrusted code without the proper trust chain (that would be much worse from security POV than accepting certificate verification errors and establishing an untrusted ssl session)

Improvements to the concept may be possible using other testing methods, such as XMLHttpRequest and others.

+2
source

You must not do this. Root certificates are not something that you just install, as adding can compromise any security provided by https.

However, if you are creating a desktop application, just listen only to 127.0.0.1. Thus, traffic never leaves the user's computer and cannot listen to it.

+2
source

You can try to add some (hidden) Flex element or Java applet once per user session. It will simply load any https page of your server and get all the connection information:

com.sun.deploy.security.CertificateHostnameVerifier.verify() or javax.security.cert.X509Certificate.checkValidity()

I assume that Flex (which is more common for users) has similar ways to verify the https certificate from the user's point of view. It should also share a trusted OS certificate. while Java may have its own.

0
source

Since the server is running on a client machine (desktop product), can it check the supported browsers for installed certificates using the winapi / os functions? I know that Firefox has a certificate database in the user profile directory, and IE probably stores information in the registry. It would not be reliable for all browsers, but if the server simply chooses between "Certificate Found" and "Please make sure you have installed the certificate before continuing," then there will be no harm, since the user can continue to work in any case.

You can also simplify the process by providing a built-in browser (i.e. gecko), so you only have 1 browser with which you can simplify many things (including preinstalling the root CA).

0
source

Recall: you configure web servers on desktop applications; each desktop will have its own web server, but you want to use SSL to secure the connection to this web server.

I assume that there are several problems with the certificates, one of which is that the host name used to access the desktop must match the certificate. In this case, you have little choice but to create certificates on the client. You will need to give the user the ability to specify a host name if the name used by outsiders cannot be found from the host itself.

I also propose allowing the administrator to install a trusted certificate for those who do not want to rely on self-signed certificates. That way, you can also offload the cost of trusting certificate maintenance to administrators who really want it.

Finally, in my experience, browsers allow or deny a self-signed certificate, and the server does not know if the certificate can be revoked or temporarily accepted or accepted on an ongoing basis. I assume that there should be a mechanism for handling SSL failures, but typical web programming does not work at this level. In any case, the only thing the web server can do if the SSL refusal is to refuse non-SSL, and you indicated in the comment that you can have nothing but SSL. I think you should try to remove this restriction; an SSL-free start page would be extremely useful in this situation: it can test (using frames or images or JSON or AJAX) the https connection and can refer to the documentation on how to configure the certificate or where to download the installer for the certificate.

If the browser does not connect due to a self-signed certificate, and you are not allowed to use plain HTTP at all, what other way could you communicate with the user? There are no other channels, and you cannot install them because you have no connection.

You mentioned in a comment writing a win32 application to install a certificate. You can install the certificate at the time of installing the application itself, but this does not help remote browsers, and the local browser does not require SSL to access localhost.

0
source

We are working on an open source JavaScript project called Forge, which is related to this problem. Do you have a website available to your users? If so, then you can securely connect to these desktop applications through your website using the Flash for Cross-Domain + JavaScript for TLS combination. This will require you to implement some web services on your website to process the signatures of the certificates of the desktop application certificates (or if your desktop applications download self-signed certificates so that they can be accessed via JavaScript). We describe how it works here:

http://blog.digitalbazaar.com/2010/07/20/javascript-tls-1/

An alternative to creating a website, but less secure since it allows you to attack MiTM to host JavaScript + Flash directly on the desktop application server. You could have your users get into your desktop application via regular http to download the JS + Flash + SSL certificate, but then start using TLS later through JS. If you are connected to a local host, the MiTM attack may be a little less disturbing - perhaps you just need to consider this option.

0
source

An ActiveX control can do the trick. But I really did not call to help with the decision, I no longer agree with the position that what you are doing is a security risk.

To be clear, you need a secure cipher (I hope AES, not DES) and already controls your endpoints, just not able to completely eliminate network sniffers in breeding mode that can capture clear text passwords or other sensitive data.

SSL is a "Secure Socket Layer", and by definition is NOT dependent on ANY certificates.

However, all effective modern ciphers require that it authenticate the endpoints of the tunnel, which is not always a necessity for each application; disappointment that I came across in many data center automation routines using web services APIs to manage nodes, where the “users” were actually processes that needed encrypted key exchange before negotiating a RESTful command.

In my case, the VLANs were protected through the ACL, so I really can "send" authentication headers with clear text. But just by typing, I made me jump a little in my mouth.

I’m sure that I’ll be flaming to print this, but I’m very fierce and would make the same comments to you in 10-15 years of my IT career. Therefore, I sympathize with their concerns and really appreciate if they are passionate enough in safety to cry. They will find out in the end.

But I agree that the idea of ​​BAD is to “train” users to install the root certification authority on their own. On the other hand, if you use a self-signed certificate, you must train them to install. And if the user does not know how to determine whether CA Cert deserves validity, they will definitely not be able to determine the self-signed certificate from CA Cert, and thus, any of the processes will have the same effect.

If it were me, I would automate the process, rather than helping end users to make it as hidden from them as possible, just like the right PKI for the enterprise.

Speaking of this, I just thought of a potential solution. Use the Microsoft PKI model. With Server 2012 R2, you can deliver trusted keys to endpoints that are not even members of a domain using "device management" through "workspaces", and client machines can subscribe to multiple workspaces, so they are not transferred exclusively to you if they are signed . Once they do and authenticate, the AD Certificate Services role will eject all the root CA certificates that are present in the active directory or the specified LDAP server. (If you are using standalone CA servers)

In addition, I understand that this stream is like 7 years, but I am sure that it still refers to a large number of people who need such solutions, and felt obligated to share the opposite opinion. (Okay, Microsoft, where is my rollback for the fork I gave you?)

-cashman

0
source

More articles:


All Articles