mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-17 11:51:20 +01:00
36aa2c8e88
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@385 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
93 lines
3.8 KiB
HTML
93 lines
3.8 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<title>Shorewall Certificate Authority</title>
|
|
|
|
<meta http-equiv="content-type"
|
|
content="text/html; charset=ISO-8859-1">
|
|
|
|
<meta name="author" content="Tom Eastep">
|
|
</head>
|
|
<body>
|
|
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
|
bgcolor="#400169" height="90">
|
|
<tbody>
|
|
<tr>
|
|
<td width="100%">
|
|
|
|
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
|
|
(CA) Certificate</font></h1>
|
|
</td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
<br>
|
|
Given that I develop and support Shorewall without asking for any renumeration,
|
|
I can hardly justify paying $200US+ a year to a Certificate Authority such
|
|
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
|
|
I am who I am. I have therefore established my own Certificate Authority (CA)
|
|
and sign my own X.509 certificates. I use these certificates on my web server
|
|
(<a href="http://www.shorewall.net">http://www.shorewall.net</a>) as well
|
|
as on my mail server (mail.shorewall.net).<br>
|
|
<br>
|
|
X.509 certificates are the basis for the Secure Socket Layer (SSL). As part
|
|
of establishing an SSL session (URL https://...), your browser verifies the
|
|
X.509 certificate supplied by the HTTPS server against the set of Certificate
|
|
Authority Certificates that were shipped with your browser. It is expected
|
|
that the server's certificate was issued by one of the authorities whose identities
|
|
are known to your browser. <br>
|
|
<br>
|
|
This mechanism, while supposedly guaranteeing that when you connect to https://www.foo.bar
|
|
you are REALLY connecting to www.foo.bar, means that the CAs literally have
|
|
a license to print money -- they are selling a string of bits (an X.509 certificate)
|
|
for $200US+ per year!!!I <br>
|
|
<br>
|
|
I wish that I had decided to become a CA rather that designing and writing
|
|
Shorewall.<br>
|
|
<br>
|
|
What does this mean to you? It means that the X.509 certificate that my
|
|
server will present to your browser will not have been signed by one of the
|
|
authorities known to your browser. If you try to connect to my server using
|
|
SSL, your browser will frown and give you a dialog box asking if you want
|
|
to accept the sleezy X.509 certificate being presented by my server. <br>
|
|
<br>
|
|
There are two things that you can do:<br>
|
|
|
|
<ol>
|
|
<li>You can accept the www.shorewall.net certificate when your browser
|
|
asks -- your acceptence of the certificate can be temporary (for that access
|
|
only) or perminent.</li>
|
|
<li>You can download and install <a href="ca.crt">my (self-signed) CA
|
|
certificate.</a> This will make my Certificate Authority known to your browser
|
|
so that it will accept any certificate signed by me. <br>
|
|
</li>
|
|
|
|
</ol>
|
|
What are the risks?<br>
|
|
|
|
<ol>
|
|
<li>If you install my CA certificate then you assume that I am trustworthy
|
|
and that Shorewall running on your firewall won't redirect HTTPS requests
|
|
intented to go to your bank's server to one of my systems that will present
|
|
your browser with a bogus certificate claiming that my server is that of
|
|
your bank.</li>
|
|
<li>If you only accept my server's certificate when prompted then the
|
|
most that you have to loose is that when you connect to https://www.shorewall.net,
|
|
the server you are connecting to might not be mine.</li>
|
|
|
|
</ol>
|
|
I have my CA certificate loaded into all of my browsers but I certainly
|
|
won't be offended if you decline to load it into yours... :-)<br>
|
|
|
|
<p align="left"><font size="2">Last Updated 11/14/2002 - Tom Eastep</font></p>
|
|
|
|
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
|
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
|
<br>
|
|
<br>
|
|
</body>
|
|
</html>
|