OpenSSL is an open source toolkit for the Transport Layer Security (TLS) protocol. Can the SSL certificate generated by OpenSSL be trusted by browsers? Can the SSL certificate generated by OpenSSL be used for website HTTPS encryption?
What is OpenSSL?
OpenSSL is an open source toolkit for the Transport Layer Security (TLS) protocol based on cryptography, which can be divided into three main functional parts: SSL protocol library, application program, and cryptographic algorithm library. OpenSSL implements ASN.1 certificate and key related standards, and provides DER, PEM and BASE64 encoding and decoding functions for data objects such as certificates, public keys, private keys, certificate requests, and CRLs. OpenSSL provides methods, functions and applications for generating various public key pairs and symmetric keys, and provides DER encoding and decoding functions for public and private keys. And realize the codec function of PKCS#12 and PKCS#8 of the private key. OpenSSL provides the encryption protection function for the private key in the standard, so that the key can be safely stored and distributed.
On this basis, OpenSSL implements the X.509 standard codec, PKCS#12 format codec, and PKCS#7 codec functions for certificates, and provides a text database that supports certificate management functions, including certificate Functions such as key generation, request generation, certificate issuance, revocation and verification. In other words, the CA application provided by OpenSSL is a small certificate management center (CA), which implements the entire process of certificate issuance and most of the certificate management mechanisms.
What are the security risks of OpenSSL generating SSL certificates?
The SSL certificate should be issued by a trusted certificate authority, strictly verify the identity of the applicant, and be issued in an audited system, which can be trusted by the browser. Whether the SSL certificate generated by OpenSSL can be trusted by the browser depends on the type of the certificate and the identity of the issuer. OpenSSL can generate self-signed certificates and CA certificates. Self-signed certificates are certificates issued by themselves and are not trusted by browsers. If OpenSSL is used to generate a self-signed certificate, when accessing the website, it will prompt "Your connection is not a private connection", and prompt whether to continue accessing. This is because the self-signed certificate is not trusted by the browser, causing the verification to fail. Self-signed SSL certificates can be issued at will, are not supervised and will not be trusted by any browser and operating system, and there are many security risks and risks.
1. It is easy to be counterfeited and used by fraudulent websites
Self-signed SSL certificates can be issued at will without any supervision. Hackers can also forge an identical self-signed certificate and use it on phishing websites to forge a fake website with the same certificate!
2. When deploying a website with a self-signed SSL certificate, the browser will continue to pop up a warning
Self-signed SSL certificates are not trusted by browsers. When users access a website deployed with self-signed SSL certificates, the browser will continue to pop up security warnings, which greatly affects the user experience.
3. Most vulnerable to SSL man-in-the-middle attacks
When a user visits a website deployed with a self-signed SSL certificate, when encountering a browser warning prompt, the website usually tells the user to click "Continue Browsing". Taking advantage of this opportunity, the website is more vulnerable to man-in-the-middle attacks.
4. No revocation list accessible to verify certificate status
This is also a common problem with all self-signed SSL certificates. It is not difficult to make an SSL certificate. It can be done in a few minutes with OpenSSL, but it is not so easy to make an SSL certificate work. To ensure the normal operation of the SSL certificate, one of the necessary functions is to enable the browser to check whether the certificate status has expired or been revoked in real time. The certificate must have a certificate revocation list accessible to the browser. If the browser cannot verify the certificate revocation status in real time, once the certificate is lost or stolen and cannot be revoked, it is very likely to be used for illegal purposes and cause users to suffer losses. In addition, the browser will also issue a security warning of "The revocation list is unavailable, continue?", which greatly prolongs the processing time of the browser and affects the traffic speed of the web page.
5. Super long validity period, the longer the time, the easier it is to be cracked
The current international standard requires that the validity period of the SSL certificate should not exceed 398 days. However, the production of self-signed certificates is cost-free and unregulated, and the validity period of the certificates is generally too long, ranging from 5 years to 20 or even 30 years. The basic principle of PKI technical standards to limit the validity period of certificates is: the longer the validity period, the more likely it will be cracked by hackers.