security - Are SSL's default snake oil certificates truly snake oil as opposed to being genuine honest-to-good certificates?

06
2014-04
  • Prateek

    SSL generates self-signed "snake oil" certificates by default, for example at /etc/ssl/certs/ssl-cert-snakeoil.pem. As per Wikipedia, snake oil is a cryptographic method or product that is considered fraudulent or bogus. Is there anything bogus about these certificates? Sure, they aren't signed by any known certificate authority, but the certificates themselves could still be genuine certificates as good as any other. For example, I might be distributing my server's public key to all my clients securely in person. Assuming this, is there anything snake-oil-worthy of the generated certificates, or is the name misleading?

    • Answers
  • Toby Allen

    Remeber SSL serves two very important functions

    1. Secure communication
    2. Trust

    Any self generated SSL certificate give you 1. which allow encrypted traffic or as you say a valid SSL certificate.

    However a self-generated SSL certificate can only give Trust to people who trust you. The reason for SSL certs being generated by trusted 3rd parties is to provide number 2. Your browser trusts them and they trust you. If you generate it yourself you could claim to be www.microsoft.com and if someone trusted you it would be.

    This is why self - generated are snake oil certs.

  • ultrasawblade

    Self-signed certificates will encrypt your communication just the same as standard ones. So the encryption is not the issue.

    Certificates can also be used to verify identity. How it is supposed to work is that when you connect securely to a server, that server presents its certificate to you or your browser, and then you or your browser decide if you can trust the server's assertion of identity.

    Certificates can be signed by other "higher-level" certificates, typically called certification authorities. So, if the server's certificate is signed by a CA that you or your browser trusts, the identity is considered valid.

    Most major browsers come with a number of root certificates that they automatically trust, from Verisign and other well-known CAs.

    With a self-signed certificate, since it is not signed by a third-party CA but the same entity that made the certificate, you cannot depend on anyone else to verify the identity except the one who generated the certificate. It's equivalent to someone printing their own ID card and giving it to you to verify identity. This isn't necesarily a problem, despite browser warnings, if you know/trust who generated the certificate or did it yourself.


    • Related Question

    browser - Set a Default Digital Certificate
  • Questioner

    We have a site that requires SSL digital certificates and have issued client side certificates to allow users to connect. The users are now complaining that when they browse to our site they are prompted to select our certificate from a list, even though there is only one matching certificate (the one we issued).

    How can the user tell their browser to always use a particular certificate (to avoid being prompted) ?


    • Related Answers
  • John T

    If this is a local server, give them the Root certificate to install on their browser's certificate store under Trusted Root Authorities. If your certificate came from a real Root CA such as VeriSign, your customer's shouldn't need to be installing anything.

  • Robert

    I don't know of any way to avoid this in Internet Explorer or Chrome but if your users use Firefox they can go to Tools, Options, Advanced, Encryption, and click "Select one automatically" under "When a server requests my personal certificate".