3

Someone can add a fake SSL cert. into trusted certificates collection. How can I detect these fakes? How can I verify a cert is official, is there any list to compare?

I've added a screenshot of a legal & a fake one (created by Fiddler):

enter image description here

ADDITION: To ensure your sensitive SSL communication is secure, you have to use certificates of common trusted authorities. If someone installed Fiddler -or a malicious software installed its own cert.- then I need to cancel any communication attempts and alert in my app at client's pc.

ADDITION 2 I only care about communication between end user's pc & Google Docs. We know Google Docs web site's public certificate is given by "Google Internet Authority". I think I have to compare it & installed certificate for Google Docs on user's pc.

Last word:

I need to simply compare the certificate in use for target site vs the target site's original SSL certificate just before any SSL comunication.

More info: This link

Community
  • 1
  • 1
Nime Cloud
  • 6,162
  • 14
  • 43
  • 75

3 Answers3

3

There is no single "official list". You must compare your list to someone else's list.

  • Windows has its own list which is used by Internet Explorer.

  • Firefox maintains a separate list of its own.

I don't know about Chrome, Safari or Opera.

But the long and short is you need to compare your list to other lists which you know are correct, for example from a colleague's computer.

Ben
  • 34,935
  • 6
  • 74
  • 113
2

You can't. If user added it, that means she trusts it. And also, a certificate can be valid without being part of the "official" lists.

clearpath
  • 916
  • 8
  • 24
  • I haven't ask for checking validity. I've asked for detecting the cert which one inserted by malicious person/software. If the authority is not common then it might be fake. – Nime Cloud Mar 05 '12 at 11:41
  • 1
    @Nime It seems that you are solving a problem you should not be solving. – clearpath Mar 05 '12 at 13:13
1

Each application maintains (or relies on other applications) the list of trusted root certificate authorities. Windows has its own list, OpenSSL has its own list, all major browsers have their own lists (Chrome uses or can use Windows one, if memory serves).

If you create a Windows application, your best bet is to rely on system list, as it is updated on a regular basis (if you carry your own list, you have to maintain it as well).

One thing to pay attention to is that the certificate issued by trusted authority doesn't mean trusted certificate. Some certificates are issued by hacking (this happened at least with two intermediate CAs during last years), private keys for others are leaked, and this causes the need to revoke such certificates. Revocation status can be checked by inspecting CRLs (revocation lists published by CAs) or using OCSP (online certificate status protocol). You need to use them no matter where you get the list of trusted CAs.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121