Wolves in sheeps’ clothing
Things often turn out great when you do them yourself. But when it comes to signing SSL certificates, you might want to give that DIY project a second thought. Before digging deep into the risks of using self-signed certificates, let’s spend some time getting re-acquainted with the functions of SSL certificates.
What do SSL certificates do?
The functions performed by SSL certificates can be broadly classified into two categories:
- Encryption: SSL certificates encrypt data in transit using Secure Socket Layer (SSL) protocol. When you reach out to a website, SSL certificates ensure that the communication between you and the website remains private.
- Authentication: SSL certificates certify the validity of an organization, so that users can make sure they’ve reached the correct website and feel safe sharing their private information.
Risks of using self-signed certificates.
SSL certificates are generally signed and issued by trusted third parties called certificate authorities (CAs). CAs verify that website owners really are who they claim to be (that’s right, browsers don’t trust you). If your organization has any public-facing websites, it’s best to use CA-signed certificates. Signing SSL certificates on your own can put you through either one or both of the problems below.
- Browser security warnings: If you’re using self-signed certificates, browsers will display security warnings to visitors on your website, indicating that it is not safe enough for him/her to share private data with your organization. This drastically brings down the trust customers have in your organization and is a huge blow to your reputation.
- Website phishing due to key compromise: Self-signed certificates originate internally, meaning the private keys remain with you. If you don’t keep track of your private keys, chances are high that they might land in the wrong hands. Attackers who have access to your private keys can create a similar certificate, set up a duplicate server, spoof your website, divert internet traffic, and steal your customers’ data. Self-signed certificates can turn into a complete disaster for you and your customers if private keys are compromised.
Read the entire article here, Wolves in sheeps’ clothing « ManageEngine Blogs
Via the fine folks at ManageEngine.