forked from extern/shorewall_code
81 lines
3.4 KiB
HTML
81 lines
3.4 KiB
HTML
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
<html>
|
||
|
<head>
|
||
|
<title>Shorewall Certificate Authority</title>
|
||
|
<meta http-equiv="content-type"
|
||
|
content="text/html; charset=ISO-8859-1">
|
||
|
<meta name="author" content="Tom Eastep">
|
||
|
</head>
|
||
|
<body>
|
||
|
<h1 style="text-align: center;">Shorewall Certificate Authority (CA)
|
||
|
Certificate<br>
|
||
|
</h1>
|
||
|
Given that I develop and support Shorewall without asking for any
|
||
|
renumeration, I can hardly justify paying $200US+ a year to a
|
||
|
Certificate Authority such as Thawte (A Division of VeriSign) for an
|
||
|
X.509 certificate to prove that I am who I am. I have therefore
|
||
|
established my own Certificate Authority (CA) and sign my own X.509
|
||
|
certificates. I use these certificates on my list server (<a
|
||
|
href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
|
||
|
which hosts parts of this web site.<br>
|
||
|
<br>
|
||
|
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
|
||
|
part of establishing an SSL session (URL https://...), your browser
|
||
|
verifies the X.509 certificate supplied by the HTTPS server against the
|
||
|
set of Certificate Authority Certificates that were shipped with your
|
||
|
browser. It is expected that the server's certificate was issued by one
|
||
|
of the authorities whose identities are known to your browser. <br>
|
||
|
<br>
|
||
|
This mechanism, while supposedly guaranteeing that when you connect to
|
||
|
https://www.foo.bar you are REALLY connecting to www.foo.bar, means
|
||
|
that the CAs literally have a license to print money -- they are
|
||
|
selling a string of bits (an X.509 certificate) for $200US+ per
|
||
|
year!!!I <br>
|
||
|
<br>
|
||
|
I wish that I had decided to become a CA rather that designing and
|
||
|
writing Shorewall.<br>
|
||
|
<br>
|
||
|
What does this mean to you? It means that the X.509 certificate that my
|
||
|
server will present to your browser will not have been signed by one of
|
||
|
the authorities known to your browser. If you try to connect to my
|
||
|
server using SSL, your browser will frown and give you a dialog box
|
||
|
asking if you want to accept the sleezy X.509 certificate being
|
||
|
presented by my server. <br>
|
||
|
<br>
|
||
|
There are two things that you can do:<br>
|
||
|
<ol>
|
||
|
<li>You can accept the mail.shorewall.net certificate when your
|
||
|
browser asks -- your acceptence of the certificate can be temporary
|
||
|
(for that access only) or perminent.</li>
|
||
|
<li>You can download and install <a href="ca.crt">my (self-signed)
|
||
|
CA certificate.</a> This will make my Certificate Authority known to
|
||
|
your browser so that it will accept any certificate signed by me. <br>
|
||
|
</li>
|
||
|
</ol>
|
||
|
What are the risks?<br>
|
||
|
<ol>
|
||
|
<li>If you install my CA certificate then you assume that I am
|
||
|
trustworthy and that Shorewall running on your firewall won't redirect
|
||
|
HTTPS requests intented to go to your bank's server to one of my
|
||
|
systems that will present your browser with a bogus certificate
|
||
|
claiming that my server is that of
|
||
|
your bank.</li>
|
||
|
<li>If you only accept my server's certificate when prompted then the
|
||
|
most that you have to loose is that when you connect to
|
||
|
https://mail.shorewall.net, the server you are connecting to might not
|
||
|
be mine.</li>
|
||
|
</ol>
|
||
|
I have my CA certificate loaded into all of my browsers but I certainly
|
||
|
won't be offended if you decline to load it into yours... :-)<br>
|
||
|
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
|
||
|
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||
|
size="2">Copyright</font> © <font size="2">2001, 2002, 2003
|
||
|
Thomas M.
|
||
|
Eastep.</font></a></font></p>
|
||
|
<br>
|
||
|
<br>
|
||
|
<br>
|
||
|
<br>
|
||
|
</body>
|
||
|
</html>
|