Fake server certificate attack in SSL/TLS

Question

I have a server with a self-signed certificate server.crt that the client trusts by adding the self-created authority to his browser's trusted authorities. Now, upon connecting to the server's IP address through https://, the browser will say the connection is secure as the certificate shown is trusted. But how can the client be sure that the certificate that was shown is actually this specific self-signed server.crt, and not another certificate that was for example signed by Verisign?

Maybe my question comes down to this: How easy is it for an attacker to get a signature from the other (standard) trusted authorities in a browser?

Of course the client can always check manually in his browser which certificate was actually shown, but this seems like a step that shouldn't have to be done every time he connects to the server.

Answer 1

You can use HPKP to pin the public key of your self-created authority, thus after the first connection the client will refuse any certificate signed by another trusted CA.

Answer 2

How easy is it for an attacker to get a signature from the other (standard) trusted authorities in a browser?

There is an example from Phishing with Unicode Domains post witch explain how can an attacker be able to create a phishing page with SSL certificate to deceive your browser by showing a secure connection.

Answer 3

In order for a certificate to be issued by a public CA for a host name, you need to be at the very least in control of that host name.

so, if you own the domain name that is referenced in the certificate then you can be reasonably certain nobody will be able to request and obtain a certificate for that same domain through a public CA.

Another important element to know about is that CAs will not issue certificates for private domains. For instance, if you use an internal TLD (e.g. .local) then public CAs will not provide you with a corresponding certificate.