stackoom
  简体   繁体   中英

How to detect fake trusted personal/root SSL certificates of target domain

 原文  2012-03-05 10:29:49       c#/ security/ ssl/ ssl-certificate

Question

Someone can add a fake SSL cert. into trusted certificates collection. How can I detect these fakes? How can I verify a cert is official, is there any list to compare?

I've added a screenshot of a legal & a fake one (created by Fiddler):

在此输入图像描述

ADDITION: To ensure your sensitive SSL communication is secure, you have to use certificates of common trusted authorities. If someone installed Fiddler -or a malicious software installed its own cert.- then I need to cancel any communication attempts and alert in my app at client's pc.

ADDITION 2 I only care about communication between end user's pc & Google Docs . We know Google Docs web site's public certificate is given by " Google Internet Authority ". I think I have to compare it & installed certificate for Google Docs on user's pc.

Last word:

I need to simply compare the certificate in use for target site vs the target site's original SSL certificate just before any SSL comunication.

More info: This link

3 answers

solution1
 3  2012-03-05 10:36:31

There is no single "official list". You must compare your list to someone else's list.

  • Windows has its own list which is used by Internet Explorer.

  • Firefox maintains a separate list of its own.

I don't know about Chrome, Safari or Opera.

But the long and short is you need to compare your list to other lists which you know are correct, for example from a colleague's computer.

solution2
 2  2012-03-05 10:52:23

You can't. If user added it, that means she trusts it. And also, a certificate can be valid without being part of the "official" lists.

solution3
 1  2012-03-05 10:51:58

Each application maintains (or relies on other applications) the list of trusted root certificate authorities. Windows has its own list, OpenSSL has its own list, all major browsers have their own lists (Chrome uses or can use Windows one, if memory serves).

If you create a Windows application, your best bet is to rely on system list, as it is updated on a regular basis (if you carry your own list, you have to maintain it as well).

One thing to pay attention to is that the certificate issued by trusted authority doesn't mean trusted certificate. Some certificates are issued by hacking (this happened at least with two intermediate CAs during last years), private keys for others are leaked, and this causes the need to revoke such certificates. Revocation status can be checked by inspecting CRLs (revocation lists published by CAs) or using OCSP (online certificate status protocol). You need to use them no matter where you get the list of trusted CAs.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can adding certificate to the trusted root certificates Trusting SSL certificates stored in “Trusted Root Certification Authorities” in c# Custom trusted root certificates in Windows Phone 8 App Is there a way to encapsulate personal certificate, intermediate root and trusted root in a portable file? Is it possible to generate on the fly SSL certificates from a root CA in C#? How to detect trusted sites using HttpWebRequest in webservice? Two SSL certificates for one domain, one for encryption, and other for authentication? How to import that root certificate as trusted root in Azure AppService? How to use Client SSL Certificates with .Net Core How do I programmatically remove a certificate in Trusted Root Certification Authorities?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM