Xjyuk

How did the Axis intend to hold the Caucasus?

(2 of 11: Moon-or-Sun) What is Pyramid Cult's Favorite Camera?

Polyhedra, Polyhedron, Polytopes and Polygon

How many oliphaunts died in all of the Lord of the Rings battles?

Can a table be formatted so that math mode is in some columns and text is in others by default?

What is this spacecraft tethered to another spacecraft in LEO (vintage)

Finding minimum time for vehicle to reach to its destination

Why is the number of local variables used in a Java bytecode method not the most economical?

What is the most common end of life issue for a car?

What is the use of で in this sentence?

Does academia have a lazy work culture?

Character is called by their first initial. How do I write it?

Trapped in an ocean Temple in Minecraft?

How to apply the changes to my `.zshrc` file after edit?

How can religions be structured in ways that allow inter-faith councils to work?

Writing a clean implementation of rock–paper–scissors game in C++

Request for a Latin phrase as motto "God is highest/supreme"

Word for showing a small part of something briefly to hint to its existence or beauty without fully uncovering it

Is it legal for private citizens to "impound" e-scooters?

How did Mysterio have these drones?

Examples of simultaneous independent breakthroughs

When does Haskell complain about incorrect typing in functions?

Use cases for M-0 & C-0?

sfdx force:org:list --all doesn't show all scratch orgs

Is it dangerous to add a custom cert authority to a browser?

What access does installing custom certificate file give?Clients trust my custom CAIs there any technical security reason not to buy the cheapest SSL certificate you can find?Risk in buying an SSL cert from a not well-known partyIs an SSL/TLS HTTPS certificate 'fingerprinting' attack possible?Server sends RST after receiving Client Hello when binding certain certificateUsing client certs issued by a third party CAAre Free SSL/TLS Certificates Trustworthy ? Can Cert Providers Snoop On Traffic?Does any SSL certificate vendor allow custom expiration date while creating the SSL Certificate?Browser cert error - cert mismatch, but only under certain conditionsCertificate authority for unusual/complex certificates

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

1

For example if my friend develops a webapp with a custom cert and I add them as CA to my browser, can they do any damage? I mean for example somehow faking certs and stealing my banking password, etc.? Are there such risks with custom cert authorities?

tls certificates certificate-authority

share|improve this question

asked 9 hours ago

inf3rnoinf3rno

28466 silver badges1515 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Possible duplicate of What access does installing custom certificate file give?
  
  – multithr3at3d
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You should tell your friend to visit letsencrypt.org :)
  
  – Nonny Moose
  12 mins ago
  

  
  
  
  

add a comment | 

1

For example if my friend develops a webapp with a custom cert and I add them as CA to my browser, can they do any damage? I mean for example somehow faking certs and stealing my banking password, etc.? Are there such risks with custom cert authorities?

tls certificates certificate-authority

share|improve this question

asked 9 hours ago

inf3rnoinf3rno

28466 silver badges1515 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Possible duplicate of What access does installing custom certificate file give?
  
  – multithr3at3d
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You should tell your friend to visit letsencrypt.org :)
  
  – Nonny Moose
  12 mins ago
  

  
  
  
  

add a comment | 

For example if my friend develops a webapp with a custom cert and I add them as CA to my browser, can they do any damage? I mean for example somehow faking certs and stealing my banking password, etc.? Are there such risks with custom cert authorities?

tls certificates certificate-authority

share|improve this question

asked 9 hours ago

inf3rnoinf3rno

28466 silver badges1515 bronze badges

share|improve this question

asked 9 hours ago

inf3rnoinf3rno

28466 silver badges1515 bronze badges

share|improve this question

asked 9 hours ago

inf3rnoinf3rno

28466 silver badges1515 bronze badges

asked 9 hours ago

inf3rnoinf3rno

28466 silver badges1515 bronze badges

asked 9 hours ago

inf3rnoinf3rno

28466 silver badges1515 bronze badges

1 Answer
1

active

oldest

votes

2

Is it dangerous to add a custom cert authority to a browser?

It is pretty dangerous. The owner of this CA can use it for man in the middle attacks or to impersonate arbitrary web sites since your browser will trust the CA to create certificates for arbitrary sites. Using such attacks he can then intercept your passwords and other sensitive data.

For example if my friend develops a webapp with a custom cert and I add them as CA to my browser, ...

There is no need to import the certificate as CA into the browser. You can just import this specific certificate as trusted as server certificate but not as CA certificate. If you do it this way it can only be used to MITM and impersonate sites which are covered by the certificates subject/SAN.

Or you can just add an exception if the browser warns you. In this case the certificate is only treated as valid for the site you visited but not for all the other domains which might be covered by the subject/SAN.

share|improve this answer

answered 8 hours ago

Steffen UllrichSteffen Ullrich

127k1616 gold badges223223 silver badges290290 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  It's worth noting that if you merely add an exception to ignore the untrusted certificate for the site, then your connection to that site could be MITM'd by a third party.
  
  – Nonny Moose
  13 mins ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214224%2fis-it-dangerous-to-add-a-custom-cert-authority-to-a-browser%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

2

Is it dangerous to add a custom cert authority to a browser?

It is pretty dangerous. The owner of this CA can use it for man in the middle attacks or to impersonate arbitrary web sites since your browser will trust the CA to create certificates for arbitrary sites. Using such attacks he can then intercept your passwords and other sensitive data.

For example if my friend develops a webapp with a custom cert and I add them as CA to my browser, ...

There is no need to import the certificate as CA into the browser. You can just import this specific certificate as trusted as server certificate but not as CA certificate. If you do it this way it can only be used to MITM and impersonate sites which are covered by the certificates subject/SAN.

Or you can just add an exception if the browser warns you. In this case the certificate is only treated as valid for the site you visited but not for all the other domains which might be covered by the subject/SAN.

share|improve this answer

answered 8 hours ago

Steffen UllrichSteffen Ullrich

127k1616 gold badges223223 silver badges290290 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  It's worth noting that if you merely add an exception to ignore the untrusted certificate for the site, then your connection to that site could be MITM'd by a third party.
  
  – Nonny Moose
  13 mins ago
  

  
  
  
  

add a comment | 

2

Is it dangerous to add a custom cert authority to a browser?

It is pretty dangerous. The owner of this CA can use it for man in the middle attacks or to impersonate arbitrary web sites since your browser will trust the CA to create certificates for arbitrary sites. Using such attacks he can then intercept your passwords and other sensitive data.

For example if my friend develops a webapp with a custom cert and I add them as CA to my browser, ...

There is no need to import the certificate as CA into the browser. You can just import this specific certificate as trusted as server certificate but not as CA certificate. If you do it this way it can only be used to MITM and impersonate sites which are covered by the certificates subject/SAN.

Or you can just add an exception if the browser warns you. In this case the certificate is only treated as valid for the site you visited but not for all the other domains which might be covered by the subject/SAN.

share|improve this answer

answered 8 hours ago

Steffen UllrichSteffen Ullrich

127k1616 gold badges223223 silver badges290290 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  It's worth noting that if you merely add an exception to ignore the untrusted certificate for the site, then your connection to that site could be MITM'd by a third party.
  
  – Nonny Moose
  13 mins ago
  

  
  
  
  

add a comment | 

Is it dangerous to add a custom cert authority to a browser?

It is pretty dangerous. The owner of this CA can use it for man in the middle attacks or to impersonate arbitrary web sites since your browser will trust the CA to create certificates for arbitrary sites. Using such attacks he can then intercept your passwords and other sensitive data.

For example if my friend develops a webapp with a custom cert and I add them as CA to my browser, ...

There is no need to import the certificate as CA into the browser. You can just import this specific certificate as trusted as server certificate but not as CA certificate. If you do it this way it can only be used to MITM and impersonate sites which are covered by the certificates subject/SAN.

Or you can just add an exception if the browser warns you. In this case the certificate is only treated as valid for the site you visited but not for all the other domains which might be covered by the subject/SAN.

share|improve this answer

answered 8 hours ago

Steffen UllrichSteffen Ullrich

127k1616 gold badges223223 silver badges290290 bronze badges

share|improve this answer

answered 8 hours ago

Steffen UllrichSteffen Ullrich

127k1616 gold badges223223 silver badges290290 bronze badges

answered 8 hours ago

Steffen UllrichSteffen Ullrich

127k1616 gold badges223223 silver badges290290 bronze badges

answered 8 hours ago

Steffen UllrichSteffen Ullrich

127k1616 gold badges223223 silver badges290290 bronze badges