3

I'd like to run some encrypted connections between some of my own servers. One can use Curl (or some other mechanism) to connect using HTTPS without SSL certificate verification. I'm using PHP, but the language probably isn't significant for this question.

I'm assuming using HTTPS without a SSL certificate is atleast more secure than doing the exact same connection over plain HTTP, since atleast it's encrypted and an evildoer would have to make a much larger effort to intercept en decrypt the information.

As far as I know an SSL certificate only says "this trusted third party says the server you connect to is owned by the guys that claim to own it". If I connect using my own domainname or IP address, I know I'm the owner. What additional value does an SSL certificate provide if I'm the owner of both ends of a connection?

Martijn
  • 3,696
  • 2
  • 38
  • 64

2 Answers2

8

Not verifying the identity of the server you connect to leaves the connection open to potential MITM attacks. SSL/TLS can be used without certificates (with anonymous cipher suites), but they're insecure (and disabled by default); as the TLS RFC says: "Note that this mode is vulnerable to man-in-the-middle attacks and is therefore deprecated." In addition, the HTTPS specification itself expects there to be an X.509 certificate.

Checking the identity of the remote party is a necessary element for securing your system. It's not very useful to exchange data secretly with a remote party who may not be who they claim they are (even if the secrecy is guaranteed).

This being said, you don't have to go via a commercial CA. You can either use self-signed certificates, which you would have to import individually into each client as trusted certificate, or create your own institutional CA. There are tools to do this, ranging from OpenSSL's CA.pl (see man-page), TinyCA or OpenCA amongst others. Some operating systems also provide their own small CA capabilities.

If I connect using my own domainname or IP address, I know I'm the owner. What additional value does an SSL certificate provide if I'm the owner of both ends of a connection?

The certificate assures you that you're indeed connecting to your machine and that the traffic hasn't been intercepted. That's why you need to check that it's a certificate that you recognise.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
-2

SSL certificates are more for the piece of mind of your customers or those using your site. In either case, the data is being transmitted over the same connections - it's just a matter of whether or not a third party is certifying you as being safe.

At my last job, we did all of our internal data transfers at my last job via https/ftps but did not have an SSL certificate until very recently. Since the data transfers were internal, it made no difference.

Joe C
  • 3,506
  • 2
  • 21
  • 32
  • I wouldn't go that far. It's like security by obscurity - it's not optimal nor is it recommended, but it's a half step in the right direction. – Joe C Apr 05 '12 at 14:53
  • It's only useful if you're sure no-one will be able to tamper with the connection (i.e. passive eavesdropper only). If there's a chance someone might alter your packets, you need server authentication. It's not just for peace of mind. – Bruno Apr 05 '12 at 15:27
  • To prevent any confusion, this part "a third party is certifying you as being safe." is incorrect. As mentioned above, certificate is used to verify who you're connecting to. – Roman Plášil Oct 25 '16 at 09:41