2

For example if my friend develops a webapp with a custom cert and I add them as CA to my browser, can they do any damage? I mean for example somehow faking certs and stealing my banking password, etc.? Are there such risks with custom cert authorities?

inf3rno
  • 487
  • 1
  • 7
  • 19
  • 6
    Possible duplicate of [What access does installing custom certificate file give?](https://security.stackexchange.com/questions/155242/what-access-does-installing-custom-certificate-file-give) – multithr3at3d Jul 28 '19 at 17:19
  • 3
    You should tell your friend to visit https://letsencrypt.org :) – Nonny Moose Jul 29 '19 at 01:57
  • @NonnyMoose I am not sure that is possible without a proper domain. We just write a few applications to ourselves to have fun and want them to be SSL-ed. We might start a custom DNS server for it or register to dyndns. Btw. is the free let's encrypt SLL safe enough? I mean I heard something a few years ago that the encryption is not good enough by it. – inf3rno Jul 29 '19 at 18:05
  • 1
    @inf3rno Let's Encrypt security is good. [This forum thread](https://community.letsencrypt.org/t/encryption-algorithm-and-key-size/31751) elaborates on the type of algorithms used. – Nonny Moose Jul 29 '19 at 21:44

1 Answers1

5

Is it dangerous to add a custom cert authority to a browser?

It is pretty dangerous. The owner of this CA can use it for man in the middle attacks or to impersonate arbitrary web sites since your browser will trust the CA to create certificates for arbitrary sites. Using such attacks he can then intercept your passwords and other sensitive data.

For example if my friend develops a webapp with a custom cert and I add them as CA to my browser, ...

There is no need to import the certificate as CA into the browser. You can just import this specific certificate as trusted as server certificate but not as CA certificate. If you do it this way it can only be used to MITM and impersonate sites which are covered by the certificates subject/SAN.

Or you can just add an exception if the browser warns you. In this case the certificate is only treated as valid for the site you visited but not for all the other domains which might be covered by the subject/SAN.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • It's worth noting that if you merely add an exception to ignore the untrusted certificate for the site, then your connection to that site could be MITM'd by a third party. – Nonny Moose Jul 29 '19 at 01:57
  • 2
    @NonnyMoose: The exception gets added for this specific certificate for this specific site. If another certificate is presented for the specific site (like in case of later MITM) then the existing exception does not allow the new certificate. Also, one should check if the certificate is the expected one when adding an exception - the same as not importing arbitrary certificates into the browser but only the one provided by a trusted source. – Steffen Ullrich Jul 29 '19 at 05:30
  • Thanks! I thought so too that I can be MITM-ed if I add a custom CA to my browser. – inf3rno Jul 29 '19 at 18:01