Page 1 of 1

self created/signed certificates?

PostPosted: Tue Dec 10, 2013 4:39 pm
by ejonesss
i was wondering can you be able to write your own certificates and tell the site "here use my certificate i dont trust yours"


seeing the article about google's certificates being rogue gave me this idea that if there was a way to write your own certificate then only you know your own certificate and rogue parties could not use the certificate.

Re: self created/signed certificates?

PostPosted: Tue Dec 10, 2013 5:25 pm
by MrFredPFL
that's a good question. hopefully someone more knowledgeable than i can answer it.

my guess would be that yes, it's possible - but i have no idea what exactly it would take to do so.

Re: self created/signed certificates?

PostPosted: Tue Dec 10, 2013 7:22 pm
by sunnyd
This may be of interest, it's from March of 2012, but I believe it would still work the same way...

Creating Your Own SSL Certificate Authority (and Dumping Self Signed Certs)

http://datacenteroverlords.com/2012/03/ ... authority/

Re: self created/signed certificates?

PostPosted: Wed Dec 11, 2013 1:51 pm
by IneptVagrant
when you connect to a https, you send a cert already as your identity. Google doesn't care who you are, so they never complain about it.

The purpose of a certificate is to provide authentication. You are talking to Google, and not to someone else.

If you don't trust the certificate, then you don't trust who you are talking.

If you are willing to carry on the conversation anyways, then secrecy doesn't matter.

--

A rouge cert is like a disguise. Someone wants to shake your hand, so they introduce themselves as Google, and then you ask google a bunch of questions, and you check your notebook of facts, and the guy has all the right answers, so you shake his hand.