Security Issues with Self-Signed SSL Certificates
Rishabh Kumar1, Ashwin Perti2
1Rishabh Kumar, Department of ABES Engineering College, Affiliated to Dr. A.P.J. Abdul Kalam Technical University, Ghaziabad, India.
2Ashwin Perti, Department of ABES Engineering College, Affiliated to Dr. A.P.J. Abdul Kalam Technical University, Ghaziabad, India.
Manuscript received on 15 May 2019 | Revised Manuscript received on 22 May 2019 | Manuscript Published on 02 June 2019 | PP: 149-153 | Volume-8 Issue-7S2 May 2019 | Retrieval Number: G10240587S219/19©BEIESP
Open Access | Editorial and Publishing Policies | Cite | Mendeley | Indexing and Abstracting
© The Authors. Blue Eyes Intelligence Engineering and Sciences Publication (BEIESP). This is an open-access article under the CC-BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Abstract: The price difference between self-signed SSL Certificates and certificate issued and verified by a trusted third party is the main reason for using a self-signed SSL Certificate. What organizations miss is the security threats associated with the self-signed certificates and self-signed certificates may be pricey in the long run. SSL security is the single most important authentication protocol used in web-based transactions. While organizations continue to rely on SSL security for external facing sites such as a company home page or e-commerce sites, some IT professionals believe that self-signed SSL certificates are an acceptable alternative for internal sites. Because only internal employees have access to servers that host internal-facing sites including corporate email servers, human resource portals, and wikis, for example, these IT specialists believe self-signed SSL certificates provide adequate protection at a lower price point. This paper aims to highlight security issues associated with selfsigned SSL certificates and how those threats can compromise the security of the system. In this paper, a detailed methodology on how to perform a man-in-the-middle attack on self-signed SSL certificate is also given and code to reproduce the attack is publicly available on git repository (given in section 3). We conclude the paper by recommending some measures to prevent such attacks and enhance the security of the system.
Keywords: SSL; Certificates; Self-Signed Certificate; Man-in-the-Middle Attack; ARP Poisoning; DNS Poisoning; SSL Security ; Usability.
Scope of the Article: Systems and Software Engineering