Dissection of self signed certificate

Introduction

Laymen explanation

If you are owning a website and you are concerned of website access security, you might be looking for popular https based access, To configure https, you need to have a server certificate. There are means to create certificate. Who will sign your certificate? Will you sign it yourself? Is it safe against hackers who wants to to trap your website users? This article helps in this regard

Technical explanation

If you use self signed certificate, What it comes down to is trust. These self-signed certificates are not verified by a trusted third party. When you use a self-signed certificate, you are saying to your customers "trust me - I am who I say I am." Some hacker can also do the same.

Anyone can create a self-signed certificate, and you can put whatever meta-data you want into it. So, two self-signed certificates can look and behave identically, the only thing that differentiates them is the key pair used to sign it.

Where It will be relatively safe to use self signed certificate

Self-signed certificates are great for testing servers. If you're creating a website that you need to test over an https connection, you don't have to pay for a signed certificate for that development site (which is likely to be an internal resource). You just need to tell your testers that their browser may pop warning messages.

Few examples where it will be unsafe to use self signed certificate

- If you're doing ecommerce, you need a signed certificate.
- If you are doing financial transaction, you need a signed certificate
- You may be tempted to use self-signed certificates for situations that require privacy, but people might not be as concerned about.Example will be forms for username/password, exchanging personal info. Beware that even with self signed certificate, a hacker can create resembling website to collect such info.

Browser behavior with self signed certificate

Browsers throws notification when it sees self signed certificate. You can use https://self-signed.badssl.com/ for experimenting it.

Curl behavior with self signed certificate

To handle this case, curl asks to mention the server certificate as -cacerts option. There is another insecure option using -k (--insecure), but it should not be used (since it compromise data integrity)

Accessing self signed website using curl

[root@ubuntu ~/temp]# openssl s_client -showcerts -servername self-signed.badssl.com -connect self-signed.badssl.com:443 | tee cacert.pem

depth=0 C = US, ST = California, L = San Francisco, O = BadSSL, CN = *.badssl.com

verify error:num=18:self signed certificate

verify return:1

depth=0 C = US, ST = California, L = San Francisco, O = BadSSL, CN = *.badssl.com

verify return:1

CONNECTED(00000003)

---

Certificate chain

0 s:/C=US/ST=California/L=San Francisco/O=BadSSL/CN=*.badssl.com

i:/C=US/ST=California/L=San Francisco/O=BadSSL/CN=*.badssl.com

-----BEGIN CERTIFICATE-----

MIIDeTCCAmGgAwIBAgIJAIb7Tcjl3Q8YMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV

BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp

c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0x

NjA4MDgyMTE3MDVaFw0xODA4MDgyMTE3MDVaMGIxCzAJBgNVBAYTAlVTMRMwEQYD

VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK

DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB

BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2

PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMW

hyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3A

xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve

ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY

QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T

BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI

hvcNAQELBQADggEBALW4pad52T7VNw2nFMjPH98ZJNAQQgWyr3H2KlZN6IFGsonO

nCC/Do8BPx6BnP3PFwovWMat1VvnRRoC8lw/30eEazWqBRGZWPz6LHTE3DNBJdc8

xz6mh8q9RJX/PAj+YYGNElTu6qj49YT0BEhMF4U+dTQ0G8y3x4WNfiu9pGqyrp8d

AzeidMfQ/pU01PpoPTDLvRDNkmMsABNE1fXBfJxDDGwfq1xY1j23Fm6BolwZC2y7

n19h+vMYVWbGoovrf2/ibTvtcTyfDop7gl5Yy3OncZxokFj21rUZpLgx9ea4a9z3

FzEz5ufynq03RhHTE1eu+gDzMEF0GNhGGsKqeA4=

-----END CERTIFICATE-----

---

Server certificate

subject=/C=US/ST=California/L=San Francisco/O=BadSSL/CN=*.badssl.com

issuer=/C=US/ST=California/L=San Francisco/O=BadSSL/CN=*.badssl.com

---

No client certificate CA names sent

---

SSL handshake has read 1604 bytes and written 452 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES128-GCM-SHA256

Session-ID: BD9E1559D1D22F8A749A7ABD6F54148192046F766B5AE55656BD0A43B7978A2A

Session-ID-ctx:

Master-Key: AB875A2497EEECB16127609D131C08A27DE73CEFEB2A902AF430FB36816AA6A2EBBD6156A565F29D93E12BED2EAAE356

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket lifetime hint: 300 (seconds)

TLS session ticket:

0000 - 05 a3 91 90 f8 de 67 78-c3 7f 5b 83 24 31 25 01 ......gx..[.$1%.

0010 - 96 3b fb 3c 23 a7 c9 00-53 30 a2 f8 9d 2f dc 2d .;.<#...S0.../.-

0020 - ad 2b a6 10 90 26 79 40-65 77 5e 4f a8 63 0d 89 .+...&y@ew^O.c..

0030 - 56 e7 42 4b 29 88 6f a8-04 5c 11 6b 24 5d fa 2f V.BK).o..\.k$]./

0040 - 83 32 8d 80 9a 62 f6 1d-b8 72 0a 71 9d 9c e0 d1 .2...b...r.q....

0050 - a8 ec 3e c0 28 61 51 88-33 81 ae 1d 29 23 16 61 ..>.(aQ.3...)#.a

0060 - 1e aa 6a f4 d2 82 51 6c-eb ec 4b fb eb 53 a0 87 ..j...Ql..K..S..

0070 - d2 0c 6d 38 25 36 a2 1f-08 6b fa 83 80 2e 0f 33 ..m8%6...k.....3

0080 - 40 f1 69 4c e4 69 84 9b-39 10 1d ff 5a f6 08 cb @.iL.i..9...Z...

0090 - 2c 5b 91 65 00 85 a1 e7-e0 31 ad b6 99 64 0d 64 ,[.e.....1...d.d

00a0 - b9 e4 2e ff f3 1a 40 64-ac 1a 81 4c 20 60 1b b8 ......@d...L `..

00b0 - bd 6c 7f 1a 1f 49 65 b5-22 86 7e 30 e5 d2 ae 88 .l...Ie.".~0....

00c0 - af b9 b5 cb 79 1f 44 51-da e2 7d ec 1c 89 08 90 ....y.DQ..}.....

Start Time: 1506670928

Timeout : 300 (sec)

Verify return code: 18 (self signed certificate)

---

[root@ubuntu ~/temp]# curl -v --cacert cacert.pem https://self-signed.badssl.com

* Rebuilt URL to: https://self-signed.badssl.com/

* Hostname was NOT found in DNS cache

* Trying 104.154.89.105...

* Connected to self-signed.badssl.com (104.154.89.105) port 443 (#0)

* successfully set certificate verify locations:

* CAfile: cacert.pem

CApath: /etc/ssl/certs

* SSLv3, TLS handshake, Client hello (1):

* SSLv3, TLS handshake, Server hello (2):

* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS handshake, Server key exchange (12):

* SSLv3, TLS handshake, Server finished (14):

* SSLv3, TLS handshake, Client key exchange (16):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSL connection using ECDHE-RSA-AES128-GCM-SHA256

* Server certificate:

* subject: C=US; ST=California; L=San Francisco; O=BadSSL; CN=*.badssl.com

* start date: 2016-08-08 21:17:05 GMT

* expire date: 2018-08-08 21:17:05 GMT

* subjectAltName: self-signed.badssl.com matched

* issuer: C=US; ST=California; L=San Francisco; O=BadSSL; CN=*.badssl.com

* SSL certificate verify ok.

> GET / HTTP/1.1

> User-Agent: curl/7.35.0

> Host: self-signed.badssl.com

> Accept: */*

< HTTP/1.1 200 OK

* Server nginx/1.10.3 (Ubuntu) is not blacklisted

< Server: nginx/1.10.3 (Ubuntu)

< Date: Thu, 28 Sep 2017 23:32:24 GMT

< Content-Type: text/html

< Content-Length: 477

< Last-Modified: Thu, 07 Sep 2017 18:18:21 GMT

< Connection: keep-alive

< ETag: "59b18d6d-1dd"

< Cache-Control: no-store

< Accept-Ranges: bytes

<!DOCTYPE html>

<html>

<head>

<title>self-signed.badssl.com</title>

</head>

<body>

self-signed.<br>badssl.com

</h1>

</div>

</body>

</html>

* Connection #0 to host self-signed.badssl.com left intact

Reference

https://www.thoughtco.com/signed-vs-self-signed-certificates-3469534

https://badssl.com/

https://stackoverflow.com/questions/27611193/curl-ssl-with-self-signed-certificate

https://security.stackexchange.com/questions/13325/is-a-self-signed-certificate-sufficient-to-prove-the-integrity-of-my-executable

https://www.ibm.com/support/knowledgecenter/en/SS3JSW_5.2.0/com.ibm.help.security_523.doc/SI_certificates_benefits.html

Page updated

Google Sites

Report abuse