[Dshield] betaplace.com

M Cook dshieldlists at versateam.com
Sat Dec 6 18:33:49 GMT 2003

Speaking of certificate hierarchy, a bit of snooping shows that the 
issuer of the  "Microsoft Secure Server Authority" certificate is 
something called "Microsoft Internet Authority" which is in turn issued 
by GTE CyberTrust, which is one of the builtin certificate authorities 
for Mozilla. This hierarchy seems to be legitimate, that is, if we trust 
GTE CyberTrust, we deduce that the Microsoft Internet Authority is 
legit, and in turn we deduce that the "Microsoft Secure Server 
Authority" is legit.

I personally don't "trust" any of the authorities too far. I trust the 
certificates, though (to a certain extent): once a certificate is issued 
by a third party, it becomes virtually impossible to change. So I can be 
fairly confident that a certificate used for two separate signatures (or 
SSL connections), say three weeks apart, is the same certificate -- 
which in many cases is all I really need to know.

By my way of thinking, "betaplace" would be on probation for weeks or 
months before I trusted it very far. If the certificate is persistent, 
that would gradually increase my confidence that I am dealing with the 
same site each time I visit; by the same token, if the certificate 
changed, that would be a warning to stop and decide whether something is 
wrong. (Yes, this does assume that the server used by betaplace is 
secure, but trusting or not trusting a certificate has nothing to do 
with detecting a compromise!)

The one thing I found confusing about this is that Mozilla's Certificate 
Manager doesn't seem to handle certificate authorities (CAs) that are 
three levels down from the root the way I would expect. That is, if I 
add the certificate for the "Microsoft Internet Authority" with the 
Certificate Manager, it fits in nicely under GTE CyberTrust, but the 
"Microsoft Secure Server Authority" (which it issued) is still not 
trusted as an authority. If I then add the "Microsoft Secure Server 
Authority" certificate as a trusted authority, it goes into its own slot 
with an empty parent, not into the GTE CyberTrust hierarchy with 
"Microsoft Internet Authority" as a parent, which is what I expected. 
(mozilla 1.5)

Or maybe there's some standard that says that a CA hierarchy should 
never be three deep?

Anyway, now to go remove those authorities from the certificate manager 
again. Like I said, I don't trust CAs very much.  :-)  I'd much rather 
be warned when going to a site like that, than add the certificate to 
the certificate manager and become complacent.

Johannes B. Ullrich wrote:

>Preamble: This is a very confusion issue. In order to avoid more
>confusion, I am sending this post ahead of other replies. I usually
>don't hold other posts back. But I would like to avoid confusion.
>All other posts, if they agree or not, will be approved shortly.
>'www.betaplace.com' is an authentic site operated by Microsoft.
>However, I agree that it is confusing. The 'https' version is using an
>SSL certificate, which is signed by
>"Microsoft Secure Server Authority". My browser
>(Mozilla), does not include this as a trusted certificate.

More information about the list mailing list