2002-11-24 21:09:57 +01:00
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<title>Shorewall Certificate Authority</title>
|
2003-03-23 19:47:54 +01:00
|
|
|
|
2002-11-24 21:09:57 +01:00
|
|
|
<meta http-equiv="content-type"
|
|
|
|
content="text/html; charset=ISO-8859-1">
|
2003-03-23 19:47:54 +01:00
|
|
|
|
2002-11-24 21:09:57 +01:00
|
|
|
<meta name="author" content="Tom Eastep">
|
|
|
|
</head>
|
|
|
|
<body>
|
2003-03-23 19:47:54 +01:00
|
|
|
|
2002-11-24 21:09:57 +01:00
|
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
|
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
|
|
|
bgcolor="#400169" height="90">
|
2003-01-22 01:37:23 +01:00
|
|
|
<tbody>
|
|
|
|
<tr>
|
2003-03-23 19:47:54 +01:00
|
|
|
<td width="100%">
|
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
|
|
|
|
(CA) Certificate</font></h1>
|
|
|
|
</td>
|
|
|
|
</tr>
|
2003-03-23 19:47:54 +01:00
|
|
|
|
|
|
|
</tbody>
|
2002-11-24 21:09:57 +01:00
|
|
|
</table>
|
2003-01-22 01:37:23 +01:00
|
|
|
<br>
|
|
|
|
Given that I develop and support Shorewall without asking for any renumeration,
|
|
|
|
I can hardly justify paying $200US+ a year to a Certificate Authority such
|
|
|
|
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
|
|
|
|
I am who I am. I have therefore established my own Certificate Authority
|
|
|
|
(CA) and sign my own X.509 certificates. I use these certificates on my list
|
2003-03-23 19:47:54 +01:00
|
|
|
server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
|
2003-01-14 18:18:42 +01:00
|
|
|
which hosts parts of this web site.<br>
|
2003-01-22 01:37:23 +01:00
|
|
|
<br>
|
|
|
|
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
|
|
|
|
part of establishing an SSL session (URL https://...), your browser verifies
|
|
|
|
the X.509 certificate supplied by the HTTPS server against the set of Certificate
|
|
|
|
Authority Certificates that were shipped with your browser. It is expected
|
|
|
|
that the server's certificate was issued by one of the authorities whose
|
|
|
|
identities are known to your browser. <br>
|
|
|
|
<br>
|
|
|
|
This mechanism, while supposedly guaranteeing that when you connect to
|
|
|
|
https://www.foo.bar you are REALLY connecting to www.foo.bar, means that
|
|
|
|
the CAs literally have a license to print money -- they are selling a string
|
|
|
|
of bits (an X.509 certificate) for $200US+ per year!!!I <br>
|
|
|
|
<br>
|
|
|
|
I wish that I had decided to become a CA rather that designing and writing
|
|
|
|
Shorewall.<br>
|
|
|
|
<br>
|
2003-03-23 19:47:54 +01:00
|
|
|
What does this mean to you? It means that the X.509 certificate that my
|
|
|
|
server will present to your browser will not have been signed by one of the
|
|
|
|
authorities known to your browser. If you try to connect to my server using
|
|
|
|
SSL, your browser will frown and give you a dialog box asking if you want
|
2002-11-24 21:09:57 +01:00
|
|
|
to accept the sleezy X.509 certificate being presented by my server. <br>
|
2003-01-22 01:37:23 +01:00
|
|
|
<br>
|
|
|
|
There are two things that you can do:<br>
|
2003-03-23 19:47:54 +01:00
|
|
|
|
2002-11-24 21:09:57 +01:00
|
|
|
<ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
<li>You can accept the mail.shorewall.net certificate when your browser
|
|
|
|
asks -- your acceptence of the certificate can be temporary (for that access
|
|
|
|
only) or perminent.</li>
|
2003-03-23 19:47:54 +01:00
|
|
|
<li>You can download and install <a href="ca.crt">my (self-signed) CA
|
|
|
|
certificate.</a> This will make my Certificate Authority known to your browser
|
2002-11-24 21:09:57 +01:00
|
|
|
so that it will accept any certificate signed by me. <br>
|
2003-01-22 01:37:23 +01:00
|
|
|
</li>
|
2003-03-23 19:47:54 +01:00
|
|
|
|
2002-11-24 21:09:57 +01:00
|
|
|
</ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
What are the risks?<br>
|
2003-03-23 19:47:54 +01:00
|
|
|
|
2002-11-24 21:09:57 +01:00
|
|
|
<ol>
|
2003-01-22 01:37:23 +01:00
|
|
|
<li>If you install my CA certificate then you assume that I am trustworthy
|
|
|
|
and that Shorewall running on your firewall won't redirect HTTPS requests
|
2003-03-23 19:47:54 +01:00
|
|
|
intented to go to your bank's server to one of my systems that will present
|
2003-01-22 01:37:23 +01:00
|
|
|
your browser with a bogus certificate claiming that my server is that of your
|
|
|
|
bank.</li>
|
2003-03-23 19:47:54 +01:00
|
|
|
<li>If you only accept my server's certificate when prompted then the
|
2003-01-22 01:37:23 +01:00
|
|
|
most that you have to loose is that when you connect to https://mail.shorewall.net,
|
|
|
|
the server you are connecting to might not be mine.</li>
|
2003-03-23 19:47:54 +01:00
|
|
|
|
2002-11-24 21:09:57 +01:00
|
|
|
</ol>
|
2003-03-23 19:47:54 +01:00
|
|
|
I have my CA certificate loaded into all of my browsers but I certainly
|
2002-11-24 21:09:57 +01:00
|
|
|
won't be offended if you decline to load it into yours... :-)<br>
|
2003-03-23 19:47:54 +01:00
|
|
|
|
2003-01-22 01:37:23 +01:00
|
|
|
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
|
2003-03-23 19:47:54 +01:00
|
|
|
|
2002-11-24 21:09:57 +01:00
|
|
|
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
2003-01-22 01:37:23 +01:00
|
|
|
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
|
|
|
|
M. Eastep.</font></a></font></p>
|
|
|
|
<br>
|
2002-11-24 21:09:57 +01:00
|
|
|
<br>
|
|
|
|
<br>
|
|
|
|
</body>
|
|
|
|
</html>
|