SSL without CA hack

1 point

13 years ago

# Intro To safe money and still have some security one can use following hack to use SSL without CA possibly hacked by NSA or others publicly paid but endorsing private interests.

# How to ## 1) Generate self-signed ssl certificate For that you can use openssl or some other tool. Check duck duck go or start page or evil google.

## 2) buy special domain name Use domain name in following format: ssl-subj-key-id-$SSL_SUBJ_KEY_ID.com, where $SSL_SUBJ_KEY_ID should be one of the ssl certificates parameters called Subject key ID or SKI, which according to RFC3280 [1] is essentially sha1 hash of public-key of your cert. It is necessary to divide hash using '-' into two strings to shorten the domain name. ### Example ssl-subj-key-id-a3b8cd018b99d899323-32659ac89d98bb8988d.com

## 3) Inform your users Unfortunately not only the domain name is crazy long you also have to educate every non geek user how to check that the certificate is ok. They have to be instructed to go to the details of obtained certificate and find the SKI in the cert and then painfully check the hash with the domain name they got from you. However if the source of the domain name is not vunerable to man in the middle then this method on the other hand increase little bit the security since this forces everyone to check the authenticity first time they visit the site.

## Or later just buy signature of CA and increase security even more.

## References [1] http://www.ietf.org/rfc/rfc3280.txt

# BTW https://gnunet.org is gonna be BIG! # Happy hacking !

No comments

No comments