Jump to content

Replay Media Catcher 6 SSL Scanner CA (un)safe?


XIII
 Share

Recommended Posts

A competitor's product reported "Replay Media Catcher 6 SSL Scanner CA" as a self-signed root certificate.

 

Afer reading your PrivDog blog post I'm a bit worried about this.

This is what the publisher said about the version 5 root CA: https://replaymediacatcher.zendesk....94-What-is-the-HTTPS-SSL-scanning-certificate

 

What should I do with this certificate/App?

Link to comment
Share on other sites

Self-signed certificates aren't uncommon. As shown clearly by the SuperFish problem, it really doesn't matter much who has signed the certificate, the problem is how easily the private key can be obtained, and whether or not this key is protected on all computers it is installed on the same way (for example using the same password as was the case for SuperFish or not validating certificates at all which was the problem with PrivDog). It all comes down to how well the application is coded and to be honest I'd expect to hear about more similar incidences in the future.

In other words, bypassing SSL in the examples above does not depend on whether or not the certificate is self signed. Self-singed certificates cannot be verified as easily which means they can be called less trustworthy. However the SuperFish and PrivDog examples make it quite clear that trustworthy is a very relative term here. :)

Link to comment
Share on other sites

If you don't use it you can uninstall it anyway, if you don't trust the publisher. However there is no more or less risk involved than with any other certificate. The problem is that until now a SSL certificate was seen as "very trustworthy". As it turns out now there are a variety of ways why that could be not so much the case. I'd expect to hear more about similar cases in the future as people will pay more attention how various applications use these certificates and will publish their findings.

Link to comment
Share on other sites

A competitor's product reported "Replay Media Catcher 6 SSL Scanner CA" as a self-signed root certificate.

 

All Root Certificates are self-signed. There is no higher Certificate Authority than the Root Certificate, there fore they are self-signed.

So, it being flagged as self-signed, amounts to fear mongering. What matters more is whether or not the Root Certificate is a trusted certificate from a trusted source. If not, like Elise suggested, uninstall the untrustworthy Root Certificate.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...