I know little about security certificates but am following advice to check
the details when using an HTTPS site. Can anyone tell me what the Install
Certificate option is when I check, for instance GRC's certificate?

Thanks for your time

Galadrial wrote:


It locally stores the certificate for later comparison when it's a root cert.


Then for nothing. You visited a charlatan's website and you want to add his
self-signed root cert to your cert store? Utterly foolish.

Thanks Jim, getting clearer. To summarise, if the certificate is issued by
the website themselves then be very sure before installing. Just not clear
what, if anything, I am missing out on by not installing - whether a self
certificate I decide to trust or one issued by a known and trusted authority
(Versign in GRC's case)? I have not problem with GRC's site, the
certificate looks fine and I'm not getting any warnings.

"Jim Watt" <jimwatt@aol.no_way> wrote in message
news:5g25d3p363c5j7tkb1ugp8ff3l5akg6h43@4ax.com...

Jim Watt <jimwatt@aol.no_way> wrote in
news:5g25d3p363c5j7tkb1ugp8ff3l5akg6h43@4ax.com:

....

Funny you should pick Microsoft as your example regarding this point. In
January 2001, VeriSign **erroneously issued** two Class 3 code-signing
certificates to someone falsely claiming to represent Microsoft. It was 6
weeks before anyone noticed!

Regards,

On Mon, 27 Aug 2007 10:48:35 +0200, Jim Watt wrote:

Complicating the CA issue is Comodo's free issuance of CAs.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

On Mon, 03 Sep 2007 11:51:15 +0200, Jim Watt wrote:

<http://www.comodo.com/products/certificate_services/email_certificate.html>
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

Pleased to see my original question provoked some discussion but I'm none
the wiser ..

.... if I go to a bank website, see Https, check out the certificate and have
the option to "Install Certificate", should I ? what do I gain or lose by
doing so or not?

In article <tdpsd3ts6cifvtfohrb7bt3u6hdl5pdb6l@4ax.com>,
Jim Watt <jimwatt@aol.no_way> wrote:
...

No, they charge for them to make a profit. They have shown by their
behavior that they will happily assign certificates to unauthorized
people.

...
No, certficates only provide one function: protecting data while in
transit.

While they have the theoretical ability to do the second, in practice,
they don't. So, don't trust a certificate unless _you_ - and not a
third party - have followed the trust chain yourself.

Craig

On Wed, 05 Sep 2007 12:47:05 -0000, Craig A. Finseth wrote:

"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

Ari <arisilverstein@yahoo.com> wrote in news:1l87al1ipfczl
$.ba11mgcc80aq.dlg@40tude.net:

....

I have often wondered why hackers (using trojans, etc.) or even, say,
coworkers in an office, don't install a bogus certificate (or better, a
bogus certificate authority) into other folks' browsers.

Regards,

nemo_outis wrote:


Because this would leave traces? However, they do exactly this thing in
memory. Just create an invalid signature, but change the program's code to
make the verification pass.

"Sebastian G." <seppi@seppig.de> wrote in
news:5lftvoF8353vU2@mid.dfncis.de:


Sebastian, you have a positive gift for making something simple into
something difficult and complicated.

Installing a bogus certificate (or certificate authority) into a browser
is quick and simple - your grandmother could do it. No programming
knowledge, no hacking and reverse engineering expertise, no tedious
recoding required. Nor is making the certificate beforehand much bother
- any number of canned programs will do it.

As for traces, 99.9% of folks have no idea of what certificates or
authorities should be in their browsers (and, of course, a recoded
browser also leaves traces). Most haven't a clue about certificates at
all. But even if, by some fluke, someone did, so what if he finds a
bogus cerificate authority? That would tell him only what he already
would know by that time - that he'd been scammed.

Regards,

nemo_outis wrote:



And leaves traces. Which is bad.


But a forensic expert at the police does.


Not if you do it solely in memory.

Depends on whether you want a long-term compromise. Phishing is only one
possible way of exploitation.

"Sebastian G." <seppi@seppig.de> wrote in
news:5lgcp6F85onuU1@mid.dfncis.de:


And not if you solely use genetically-altered trained baboons with head-
mounted lasers :-)

Why do you have this penchant for grossly overengineering everything,
Sebastian?

Regards,

nemo_outis wrote:


We haven't talked about the intended impact so far. If you just want to
phish a home user, you can go even simpler by actually running an unmodified
connection and just manipulating the screen output. But if you're
compromising a corporate VPN with a well-understood PKI, you'd better not
touch the certificate store.

"Sebastian G." <seppi@seppig.de> wrote in
news:5lhhniF811v4U1@mid.dfncis.de:


Compromising a corporate VPN with a PKI? Where the fuck do you get these
bizarre and contrived conditions to justify your bizarre and contrived
"solutions"?

No, Sebastian, we're only talking about the perfectly ordinary, perfectly
vanilla certificate store that is part of every browser on this planet.
And planting an additiona certificate or authority in one is child's play.

Regards,