3

My WiFi is shared with my family, and my siblings have friends come over sharing the WiFi password carelessly. Anyone of those guests could have a rogue device and not even know it.

My brother has his own PC and I'm concerned about my brother's ability to keep his PC clean.

I have servers running on my LAN and I use self-signed certs for them.

Considering how many connected devices are on my LAN that I do not control, does this mean my self-signed certs are potentially useless and my secure comms are potentially useless?

How can I solve this without needing FQDN and CA == (let's talk about fingerprinting)?

I know the first step towards a solution would be VLANs to containerize non-trusted guest devices. However, there should be a way to have trust with a self-signed cert even when there are rogue devices in the network (enter fingerprinting).

I really want to understand fingerprinting and how I can manually crosscheck keys to know if there is a MiTM.

schroeder
  • 123,438
  • 55
  • 284
  • 319
m0p3r
  • 41
  • 6
  • Please use proper sentence and paragraph structures in the future. – schroeder Jun 07 '18 at 15:40
  • 4
    Possible duplicate of [Verify my own self signed SSL certificate](https://security.stackexchange.com/questions/127767/) and [Self Signed SSL Certificate - How to verify it correctly on the client side?](https://security.stackexchange.com/questions/163037) and [Does checking the fingerprint of a self signed certificate improve security?](https://security.stackexchange.com/questions/50867) and maybe more. – Steffen Ullrich Jun 07 '18 at 15:48

1 Answers1

0

Your untrusted guests cannot undermine the security from your self-signed certificate just because they got infected by malware. To you to be fooled into accepting a rogue certificate, any attacker have to download the certificate from your server, create another one with the same values, ARP-spoof your computer and MitM your connection to your server. Not something a malware would do for itself.

How to solve that? Create a CA yourself, and add the CA certificate to your browser. This way, even if someone worked the above attack, it won't work because your browser will not trust their self-signed certificate.

This site have a nice guide, check it later for full information. I will summarize bellow:

openssl genrsa -des3 -out myCA.key 2048
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem

Now you have myCA.pem, import it on your browser and OS.

After that, create the certificates and sign them:

openssl genrsa -out dev.mergebot.com.key 2048
openssl req -new -key dev.mergebot.com.key -out dev.mergebot.com.csr
openssl x509 -req -in dev.mergebot.com.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out dev.mergebot.com.crt -days 1825 -sha256 -extfile dev.mergebot.com.ext

You will now have 3 files, the private key is the .key, the certificate is .crt, and the certificate request is the .csr and you don't need it after creating the certificate. Install the .key and .crt on your servers and you are good to go.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • You say untrusted guests cannot undermine the security of self signed certs and then you explain how it is in fact possible. Even the slightest chance of it being possible equates to potentially useless encryption. In my OP I stated I wanted ways to manually verify keys and thumbprints without the use of a CA – m0p3r Jun 07 '18 at 20:14
  • I said _just because they got infected_, not because they are actively attacking you. You can manually check the connection every time, by saving the fingerprint somewhere and comparing it *every single time*. It's better and less time consuming to just create a CA once every 5 years. – ThoriumBR Jun 07 '18 at 20:17
  • What if I'm targeted and untrusted guests are the only weak link – m0p3r Jun 07 '18 at 20:18
  • If you are targeted, use full disk encryption, harden your servers, don't let untrusted users on your network, don't use self-signed certificates, and buy a real certificate from a real CA. If you are targeted and the attacker is inside your house, assume they will physically access your computers. But I don't believe your guests are professional hackers paid to attack you. Or they are? – ThoriumBR Jun 07 '18 at 20:21
  • I'm just looking for some ways to get and verify the thumbprints for various things like ssh for example – m0p3r Jun 07 '18 at 20:26
  • A random guest attacking you cannot forge the SSH fingerprint **IF** you already connected to the SSH server at least once. The fingerprint is already saved on your system and SSH client will detect any tampering. – ThoriumBR Jun 07 '18 at 20:28
  • I'm mostly concerned with init setup and first time verification before any caching happens. Ways to set up a new server and be 100% certain it's perfectly secure – m0p3r Jun 07 '18 at 20:30