dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3525
share rss forum feed

s040606

join:2005-04-25
North York, ON

Remote access and server certificates

I'm trying to learn more about remote access from 2Wire gateways, and I've come upon a problem that I'm not sure I understand. If I try to access a server remotely, I'm immediately confronted with a security alert telling me that the certificate in question (while valid and having a correct name) was issued by a company that I don't trust.

If I look at the certificate, I find that the issuer is 103112008494.gateway.2wire.com. Obviously, my browser does not recognize this and pops up the warning.

What is 2Wire doing? Is this a pseudo-self-signed certificate, or an intermediate certificate that I don't have? Is there any official 2Wire documentation that tells me what to do in this situation? I've looked all over, and I can't get any documentation at all about where the remote access SSL certificates come from, and whether or not they are traceable back to a widely recognized certificate.

Any help would be appreciated.

Sander Smith

xDSLMan
Use The Search Function
Premium
join:2003-07-02
Liberty, MO
You can accept the certificate and load a copy into your browser so you will not have the warning again.

Just click View Certifcate next time you see the warning and hit "Install Certificate".

How SSL works
»support.microsoft.com/default.as···;q245152

How Certificates work from »webengr.com/services/ssl_certificates/

How does a web-certificate work?
A Web-certificate functions as follows:

Whenever anybody transacts with a "secure" web-site, their browser (or server) authenticates the identity of the web-site using the web-certificate
If the site's certificate is not valid, a warning is issued to the user, otherwise the web-cert creates an SSL (Secure Server Layer) session and encrypts any information exchanged during that session
This prevents communication from being intercepted and deciphered by nefarious people on the Internet.
Can you explain "how a web certificate works" in "Plain English"?
Basically, when two parties (say a customer and the Amazon.com web-site) wish to "talk" securely (transfer the customer's credit-card number to Amazon.com), then a web-certificate sets up a "secure" session that first verifies the true identity of the party that requests data transfer (Amazon.com).

If a certificate is valid, the other party (the customer) gets a message saying that its OK to "talk" to them (Amazon.com), as they are who they say they are. The other party (customer) then transfers the info (CC number) securely, without fear of any nefarious elements intercepting the data.

If the certificate is invalid, a message pops up saying so. Transactions can still occur, but at the risk of counter party fraud (It may be joesbooks.com tying to appear as Amazon.com)

How can someone tell whether a website is using a web certificate or not?
The pages of a web-site which are secured by a web-certificate are characterized by the following traits:

The URL of the secure web-pages change from »... to »
A lock symbol appears in the lower left-hand (right hand) status bar in Netscape Navigator (Internet Explorer).
If one wants to view and verify the encryption information of the secure pages, onw should simply undertake the following:

In Netscape - click on the lock symbol above and select "View Certificate" button
In Internet Explorer - double-click on the lock in the lower right-hand status bar.

s040606

join:2005-04-25
North York, ON

1 recommendation

Thanks for the long explanation, although it didn't really answer my question. When you look at SSL server certificates, there are 3 criteria that they must possess:

1) Have a valid date
2) Have the host name in the subject exactly match the host name in the URL
3) Be traceable to well-trusted root (such as VeriSign or GeoTrust) that is built into common browsers

The certificate I saw come off of the 2Wire remote access server had criteria 1+2 satisfied, but #3 wasn't. Yes, I could blindly accept this certificate into my certificate store, but frankly this isn't too wise.

The reason it isn't too wise is that certificates that don't satisfy #3 create an open invitation for hackers to launch a man-in-the-middle attack. Creating an attack like this is trivial to deploy, and the possible cost is allowing someone who is unauthorized to view everything that you share.

Is this what 2Wire is doing? Anyone have more info??

Sander

ugly1

join:2005-08-03
Phoenix, AZ
reply to s040606
I'd bet you a dollar the number in the issuer address exactly matches the serial number on the bottom of your router.

weather you can trust the router is up to you


koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
reply to s040606
said by s040606:

1

The certificate I saw come off of the 2Wire remote access server had criteria 1+2 satisfied, but #3 wasn't. Yes, I could blindly accept this certificate into my certificate store, but frankly this isn't too wise.

The reason it isn't too wise is that certificates that don't satisfy #3 create an open invitation for hackers to launch a man-in-the-middle attack. Creating an attack like this is trivial to deploy, and the possible cost is allowing someone who is unauthorized to view everything that you share.

Is this what 2Wire is doing? Anyone have more info??

Sander
Exactly!!!
--
† Koma †If YOu Don't Think It's Possable!! It's Acually A Reality!! The best way to predict the future is to invent it. Alan Kay
ku^uipo_keleneka ®