The practical insecurity of self-signed SSL certificates on the web

November 27, 2008

Here is a modest suggestion from the devil's advocate: web browsers should forbid self-signed SSL certificate entirely, with no 'no, really, let me through' button, option, or extended dialog. They should do this because in practice and in general there is no way to make self-signed SSL certificates at all secure.

Self-signed certificates are insecure in general unless you really truly know what you are doing. Most users do not know what they are doing in this sense, and for sensible reasons will pretty much ignore any warnings you throw up to try to teach them and will blindly click on any button required to make things get out of their way. In the real, pragmatic world the results of this are, unfortunately, predictable and explosive.

Given my previous views on this I don't really like this. But it seems quite hard to allow for any quiet implicit use of self-signed certificates for things like opportunistic encryption, and it's also clear that if you give the general user population something explosive, people are going to blow themselves up through accident and ignorance. Ignoring this reality is just as wrong as ignoring reality in pursuit of mathematically perfect security, and for the same reason.

(You can argue that only a few people will blow themselves up this way and that most people will read the alerts and save themselves. I think this is totally wrong.)

Note that I don't necessarily agree with this; I just think that it's a plausible argument. Even if it's plausible it may not be practical, since by now there are enough vendor-supplied things out there in the field with malformed or self-signed SSL certificates that a browser that could not accept them would be pretty crippled (certainly I could never use it).

(Making self-signed certificates work only if you turn on a secret preference doesn't work in the real world; someone writes up the secret preference, and soon the search engine hits roll in and everyone knows that to get browser X to work right and get out of your way you do this magic thing and then click through the dialog boxes just like you used to. Down that road is Firefox 3.)

Comments on this page:

From at 2008-11-27 03:49:55:

What exactly is the problem with treating self-signed certificates just like a plain old unencrypted, unsigned HTTP connection?

Is seem ludicrous to me to treat self singed certificates as somehow less trustworthy than plain HTTP connections.

By cks at 2008-11-27 08:51:54:

The problem with automatically using self-signed certificates for encryption is satisfying user perceptions of how much security you are getting; I wrote about this in SSLSelfSignedProblems.

(Since then I have realized that the server-side software also cares about this; it could no longer use 'is connecting over https' as 'has full SSL security'. In fact if you allowed silent opportunistic encryption over https I don't think there's any way that the server side software could know if there was full SSL security involved.)

Written on 27 November 2008.
« One consequence of mathematical security thinking
Why rootkits targeted at Red Hat Enterprise would make me especially nervous »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Nov 27 00:45:12 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.