Re: Testing and certificates

There's not really a good way to do this that I'm aware of.

No default-trusted CA is going to be OK with issuing a certificate and then
having you pass the private key around, even for a non-public name.  They
will consider that a key compromise and revoke it. (they are actually
mandated to by the agreements they have with browsers)

I wrote the man-in-the-middle CA library that Selenium started using about
6 years ago for this, but it requires that you provision a new root into
the browser trust store.

Or you can stand up a real server with a real certificate.

For WebAppSec, I have:

1) built and distributed a VM image with browsers that have a custom CA
provisioned and certs issued off that CA installed on the server, to be
used for offline testing

2) stood up an AWS image with a real domain name and certificate on it (
https://webappsec-test.info) and I give non-root shells to people who ask,
to do online testing

GlobalSign will issue a wildcard certificate for free to open source
projects, which is what I did for #2 to save a few hundred $$, but they for
sure won't be OK with sharing the private key around.

-Brad



On Tue, Oct 15, 2013 at 8:38 AM, Odin Hørthe Omdal <odinho@opera.com> wrote:

> On Mon, Oct 14, 2013, at 13:29, Robin Berjon wrote:
> > On 14/10/2013 12:48 , James Graham wrote:
> > > Hmm, well I don't have a concrete objection except that it feels very
> > > dubious to start passing a private key around, even if we are never
> > > going to use the domain for any other purpose. I would at least like
> > > someone who understand this stuff better than me to say that it's an OK
> > > idea before I agree to it :)
> >
> > Yeah, I agree it feels very dubious though I can't really think of an
> > attack either. Let me prod some proper paranoids to see what they reckon.
>
> Just CC webappsec?
>
> --
>   Odin Hørthe Omdal
>   odinho@opera.com
>
>