Gathering session cookies with Firesheep
Posted Nov 4, 2010 14:44 UTC (Thu) by gerv
In reply to: Gathering session cookies with Firesheep
Parent article: Gathering session cookies with Firesheep
https with a self-signed cert is MORE secure than no encryption at all.
It depends what you mean by "secure". Does it protect against some attacks (e.g. passive attacks)? Yes. Does it open the user up to some additional attacks (e.g. phishing)? Yes. Because no security measure is taken in isolation - it's associated with a set of code changes, UI changes and behaviour advice. And the interaction patterns associated with "self-signed certs are OK" are intimately tied up with "the cert sometimes changes on you", and that event can be either the sign of an attack, or not. And if users can't differentiate well between the two, they are opened up to new attacks.
Browsers could if they liked, save any self-signed certs and warn if they ever change -- this would stop man-in-the-middle in all cases, except those cases where your *first* visit happens to hit the mitm. (again: stopping *some* attacks is superior to stopping no attacks.)
I do address that exact point in my article. My question to you: how do you train Joe Public to differentiate between: "This cert has changed!" (you are now being MITMed) and "This cert has changed!" (the server operator changed their cert)? The browser can't tell the difference - the user would need an out-of-band way of verifying the cert fingerprint with the site. And what are the chances of my grandmother doing that?
"Hello, is that Marks and Spencer?"
"Yes, how can I help you?"
"Hello, dear. Well, my browser tells me that I have to telephone you to verify the Shalsum of your certificate."
The practical result of making https cumbersome and expensive to use, is that people use plain http instead, this does not in ANY way benefit security.
The expense of certificates is no longer a factor here. Go get a free cert from StartCom and be happy. And the computational cost is the same for trusted certs and for self-signed certs. So there is very little additional cost. In fact, given how much hassle it is to generate a self-signed cert on e.g. Windows, the CA route is actually less costly in time terms.
to post comments)