3

If I verify the fingerprint of a self-signed SSL certificate on the client, can a man-in-the-middle attack still occur?

iRyanBell
  • 413
  • 2
  • 11
  • 20
  • 2
    See also [Self-Signed Certificate Risks](http://serverfault.com/q/349365); [Is a Self Signed SSL Certificate a False Sense of Security?](http://serverfault.com/q/279780); and [Are self-signed SSL certificates secure?](http://serverfault.com/q/363707) – Chris S Mar 24 '12 at 02:39
  • You can create your own certificate authority (CA), and distribute the public CA cert to all the clients who will be connecting to a server with certs signed by that CA. Then they'll work just like any other certificate. Just make sure to guard the CA key. – phemmer Mar 24 '12 at 02:40
  • @Patrick http://www.ejbca.org may be a good place to start for people who aren't familiar with running a CA already. Makes the process fairly easy. – Chris S Mar 24 '12 at 14:22

2 Answers2

7

Only if they manage to actually reproduce the fingerprint, which is much, much harder.

The Fingerprint is actually the most reliable method of determining a certificate is what it should be. It's just ignored by just about everyone.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
5

A self signed certificate is just as "secure" as a CA issued certificate given the same cryptographic specifications. All the same vulnerabilities and strengths are there.

The only difference is that clients generally have a preconfigured list of trusted CAs and will not ask, where they'll always initially ask for self-signed. Which it sounds like you're already aware of.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • 1. "All the same vulnerabilities and strengths are there." man-in-the-middle not applicable to vulnerabilities and strengths 2. *You did answer on clearly asked question* at all. Downvote, ace of diamonds – Lazy Badger Mar 24 '12 at 04:40
  • 1
    Erh, no he did answer the question correctly imo. I think you are the one that's talking bs. – Lucas Kauffman Mar 24 '12 at 07:33
  • 1
    @LazyBadger I don't think you understand security, perhaps you should read up on MITM attacks and how they can apply to HTTPS communication. My answer implies that using a self signed certificate makes it no more or less likely that a MITM attack can be performed. If you are having trouble understanding you should ask for help. – Chris S Mar 24 '12 at 14:20