Our company uses a web server with a couple of web sites on it (private and publ

Question

Our company uses a web server with a couple of web sites on it (private and public, over HTTP and HTTPS, some low risk and some high risk including online payments or other sensitive data for example).

In our last project, we communicated with a partner company through web services. They wanted to use their own certificates, issued by themselves, to secure the connection. So we had to install their root certificate "PrivateCompany Root CA" on our web server.

Just how bad is this exactly? In what scenarios our security can be tampered with?

Explanation / Answer

There is only full trust with the CAs you've installed. This means, that there is no restriction which certificates a trusted CA can sign. So it can also sign fake certificates for sites they don't own (e.g. banking.com) and you will accept them.

I don't know how you communicate with the partner, but with languages like Perl, Python etc you can specify a CA store, which gets only used for this specific communication. This way you could have your normal communication and the communication with the partner use different sets of trusted CAs.

Related Questions

Navigate

• Browse (All)
• Browse O
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.