XIII 4 Posted February 25, 2015 Report Share Posted February 25, 2015 A competitor's product reported "Replay Media Catcher 6 SSL Scanner CA" as a self-signed root certificate. Afer reading your PrivDog blog post I'm a bit worried about this.This is what the publisher said about the version 5 root CA: https://replaymediacatcher.zendesk....94-What-is-the-HTTPS-SSL-scanning-certificate What should I do with this certificate/App? Quote Link to post Share on other sites
Elise 276 Posted February 25, 2015 Report Share Posted February 25, 2015 Self-signed certificates aren't uncommon. As shown clearly by the SuperFish problem, it really doesn't matter much who has signed the certificate, the problem is how easily the private key can be obtained, and whether or not this key is protected on all computers it is installed on the same way (for example using the same password as was the case for SuperFish or not validating certificates at all which was the problem with PrivDog). It all comes down to how well the application is coded and to be honest I'd expect to hear about more similar incidences in the future. In other words, bypassing SSL in the examples above does not depend on whether or not the certificate is self signed. Self-singed certificates cannot be verified as easily which means they can be called less trustworthy. However the SuperFish and PrivDog examples make it quite clear that trustworthy is a very relative term here. Quote Link to post Share on other sites
XIII 4 Posted February 26, 2015 Author Report Share Posted February 26, 2015 So what do you advice? Uninstall? Quote Link to post Share on other sites
Elise 276 Posted February 26, 2015 Report Share Posted February 26, 2015 If you don't use it you can uninstall it anyway, if you don't trust the publisher. However there is no more or less risk involved than with any other certificate. The problem is that until now a SSL certificate was seen as "very trustworthy". As it turns out now there are a variety of ways why that could be not so much the case. I'd expect to hear more about similar cases in the future as people will pay more attention how various applications use these certificates and will publish their findings. Quote Link to post Share on other sites
Kevin Zoll 309 Posted February 26, 2015 Report Share Posted February 26, 2015 A competitor's product reported "Replay Media Catcher 6 SSL Scanner CA" as a self-signed root certificate. All Root Certificates are self-signed. There is no higher Certificate Authority than the Root Certificate, there fore they are self-signed. So, it being flagged as self-signed, amounts to fear mongering. What matters more is whether or not the Root Certificate is a trusted certificate from a trusted source. If not, like Elise suggested, uninstall the untrustworthy Root Certificate. Quote Link to post Share on other sites
XIII 4 Posted February 26, 2015 Author Report Share Posted February 26, 2015 I deleted the certificate. Let's find out what functionality in the Application Replay Media Catcher will break... (if any that I use) Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.