Understanding Security

**Kzin** · Feb 22nd, 2001, 11:01 AM

I was browsing an eSecurity firms web site and go this message - does thgis mean that their site is not really secure of set up correctly? What are the risks?

**Kzin** · Feb 22nd, 2001, 11:02 AM

Other half of message

**Kzin** · Feb 22nd, 2001, 11:04 AM

To clarify - I'm not worried that something terrible is about to happen to me for visiting the site - but is their site vunerable? Can they be taken seriously as security consultants.

**Jeff_1** · Feb 22nd, 2001, 11:08 AM

It doesnt exactly mean that the site is insecure.
The certificate's are ways that your ISP or just your computer "trust" the content from that website.

Certificate's are given to company's web site so they can be trusted to do things..like encryption..stuff like that.

Not exactly sure though.

**Kzin** · Feb 22nd, 2001, 11:27 AM

I think to point that I was thinking of was - if a certificate isn't traceable (as this one says it was) could it be a fake or altered?

If it's a fake could it be on someone else's site just pretending to be the site it says it is.

(For the sake of discussion let's be really paranoid about this)

**parksie** · Feb 22nd, 2001, 07:17 PM

Certificates need to be authenticated by a Certificate Authority such as Verisign before they're valid. Your message means that the certificate couldn't be verified as an authentically-created certificate.

It's like the difference between writing a will and having a solicitor draw one up for you.

**Jeff_1** · Feb 22nd, 2001, 09:10 PM

I tried to say that but the mix of ephedra and caffinee kind of makes me jabber on and on..heh

**Kzin** · Feb 23rd, 2001, 08:15 AM

Originally posted by parksie
Certificates need to be authenticated by a Certificate Authority such as Verisign before they're valid. Your message means that the certificate couldn't be verified as an authentically-created certificate.

It's like the difference between writing a will and having a solicitor draw one up for you.

Nicely put! But isn't it really like someone at a funeral saying its "I found this will and the old codger's inhertiance is all MINE!!". If the will is drawn up by a good solicitor then there is a trusted third party to validate it. It is not then the source of the will is suspect. I guess - in principle - so is a site with a certificate that couldn't be verified as an authentically-created certificate. Is that right?

**parksie** · Feb 23rd, 2001, 01:11 PM

Yep.

Although technically a Trusted Third Party (TTP) is a different thing -- they're someone else with your public/private key pair.

**Kzin** · Feb 23rd, 2001, 01:17 PM

So (hypothetically) what would be the worst case scenario for a certificate like that - what is the worst that could happen? Could a site with a certifiacte like that be fake (I doubt if the example one is - this is hypothetical remember!)

**parksie** · Feb 23rd, 2001, 01:28 PM

Browsing a secure website, not that much bad can happen. All it means is you can't be sure who's at the other end. Normally the certificate contains the destination address and this is validated. In this case it's just not guaranteed. You won't lose any in-transit security.

Thread: Understanding Security

Thread Tools

Display

Umm..

Yeah what he said

Posting Permissions