[gentoo-dev] SSL-Certificates and CAcert

[gentoo-dev] SSL-Certificates and CAcert

[Hanno Böck]

[-- Attachment #1: Type: text/plain, Size: 1191 bytes --]

Hi,

Everytime I'm sending out a mail with my gentoo.org-address, I get 
this "certificate may be unsecure" message. Gentoo mailserver (and forums, 
bugzilla and probably many more) use self-signed ssl-certificates.

Well, I hope I don't have to tell that self-signed certs are not really good 
security policy. Imho, having those "pay lots of $/€"-certs also isn't a very 
good option, because obviously "security for the ones who pay a lot" isn't a 
good idea either.

I think most of you know that there's CAcert, a "free" certificate authority. 
While it's sadly not free in a "free software" sense (their own software 
isn't released under a free license, though I hope that will change at some 
point in the future), it uses a web-of-trust-based concept for trust and 
issues certificates with no costs.

I think compared to self-signed, having cacert-certificates would be a big 
improvement. Many other free software projects (and more and more other 
pages) use cacert, so it becomes more and more likely that people will 
already have the cacert-root-cert installed.

-- 
Hanno Böck		Blog:   http://www.hboeck.de/
GPG: 3DBD3B20		Jabber: hanno@hboeck.de

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] SSL-Certificates and CAcert

[Petteri Räty]

[-- Attachment #1: Type: text/plain, Size: 360 bytes --]

Hanno Böck kirjoitti:
> 
> I think compared to self-signed, having cacert-certificates would be a big 
> improvement. Many other free software projects (and more and more other 
> pages) use cacert, so it becomes more and more likely that people will 
> already have the cacert-root-cert installed.
> 

gentoo-project material

Regards,
Petteri


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [gentoo-dev] SSL-Certificates and CAcert

[Andrew Gaffney]

Hanno Böck wrote:
> I think compared to self-signed, having cacert-certificates would be a big 
> improvement. Many other free software projects (and more and more other 
> pages) use cacert, so it becomes more and more likely that people will 
> already have the cacert-root-cert installed.

How does a CAcert certificate help? Their own certificate for 
https://www.cacert.org/ can't be verified by Firefox 2.0.0.7, which tells me 
that their CA isn't trusted by default.

-- 
Andrew Gaffney                                 http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer             Catalyst/Installer + x86 release coordinator
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] SSL-Certificates and CAcert

[Hanno Böck]

[-- Attachment #1: Type: text/plain, Size: 727 bytes --]

Am Donnerstag 27 September 2007 schrieb Andrew Gaffney:
> How does a CAcert certificate help? Their own certificate for
> https://www.cacert.org/ can't be verified by Firefox 2.0.0.7, which tells
> me that their CA isn't trusted by default.

They're workin on that, goal is to include in ff. But anyway, I think it still 
helps.

On many IT events cacert is present and you can get their fingerprint. Beside, 
you only have to import their root-cert once and get verification for all 
cacert-pages out there, not only gentoo's. That's the whole idea and it's a 
lot more comfortable (and secure) than self-signed I think.


-- 
Hanno Böck		Blog:   http://www.hboeck.de/
GPG: 3DBD3B20		Jabber: hanno@hboeck.de

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] SSL-Certificates and CAcert

[Doug Goldstein]

Andrew Gaffney wrote:
> Hanno Böck wrote:
>> I think compared to self-signed, having cacert-certificates would be
>> a big improvement. Many other free software projects (and more and
>> more other pages) use cacert, so it becomes more and more likely that
>> people will already have the cacert-root-cert installed.
>
> How does a CAcert certificate help? Their own certificate for
> https://www.cacert.org/ can't be verified by Firefox 2.0.0.7, which
> tells me that their CA isn't trusted by default.
>
Yes, however a lot of people have their cert imported into their browser
and they provide a method for importing the their CA into your browser.
Where's the Gentoo CA for me to import into my browser?
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] SSL-Certificates and CAcert

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1982 bytes --]

On Thu, Sep 27, 2007 at 05:23:26PM +0200, Hanno B??ck wrote:
> Well, I hope I don't have to tell that self-signed certs are not really good 
> security policy.
Whether or not self-signed certs are secure or insecure depends entirely
on your definition of 'secure'. 
- Is the traffic encrypted between your machine and the server? 
  Always, regardless of it being a self-signed or self-CA, or external CA.
- Can you be sure that there is no MITM attack?
  Only if you trust the CA _OR_ you know in advance the SSL fingerprint.

Knowing the SSL fingerprint is trivial, if you login to machines with
SSH, you are be doing this every day.

> I think most of you know that there's CAcert, a "free" certificate authority. 
> While it's sadly not free in a "free software" sense (their own software 
> isn't released under a free license, though I hope that will change at some 
> point in the future), it uses a web-of-trust-based concept for trust and 
> issues certificates with no costs.
Go and read ALL of this bug:
http://bugs.gentoo.org/show_bug.cgi?id=108944
Pylon and myself, as folk in favour of CA-Cert tried to get the ball
rolling to get Organization-level certs from CACert. It seems to have
long blocked on trustees and paperwork - both on our side, and on the
side of CACert (Inclusion in Mozilla is blocking on the CACert internal
audit).

> I think compared to self-signed, having cacert-certificates would be a big 
> improvement. Many other free software projects (and more and more other 
> pages) use cacert, so it becomes more and more likely that people will 
> already have the cacert-root-cert installed.
I don't agree that it's a big improvement. If you read the bug above,
you'll note that we did at one stage have a 'Gentoo CA' that Infra ran
for generating certs.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 321 bytes --]

Re: [gentoo-dev] SSL-Certificates and CAcert

[Caleb Tennis]

> On Thu, Sep 27, 2007 at 05:23:26PM +0200, Hanno B??ck wrote:
>> Well, I hope I don't have to tell that self-signed certs are not really good
>> security policy.
> Whether or not self-signed certs are secure or insecure depends entirely
> on your definition of 'secure'.
> - Is the traffic encrypted between your machine and the server?
>   Always, regardless of it being a self-signed or self-CA, or external CA.
> - Can you be sure that there is no MITM attack?
>   Only if you trust the CA _OR_ you know in advance the SSL fingerprint.
>
> Knowing the SSL fingerprint is trivial, if you login to machines with
> SSH, you are be doing this every day.

Yes, you and I and most other technical people know and understand this.  But how
many end users know or care that their traffic to bugzilla is being safely
encrypted?  And how many are going to have worry and or doubt when they get a popup
telling them that some kind of security certificate may not be valid.  It's
definitely a red flag.

>> I think most of you know that there's CAcert, a "free" certificate authority.
>> While it's sadly not free in a "free software" sense (their own software
>> isn't released under a free license, though I hope that will change at some
>> point in the future), it uses a web-of-trust-based concept for trust and
>> issues certificates with no costs.
> Go and read ALL of this bug:
> http://bugs.gentoo.org/show_bug.cgi?id=108944
> Pylon and myself, as folk in favour of CA-Cert tried to get the ball
> rolling to get Organization-level certs from CACert. It seems to have
> long blocked on trustees and paperwork - both on our side, and on the
> side of CACert (Inclusion in Mozilla is blocking on the CACert internal
> audit).

Is there a reason that my Godaddy suggestion in the bug isn't being considered? 
Regardless of what you may think of them as a company, they offer the same free type
of certificate to open source projects just like cacert, and with what looks to be
considerable less overhead.  I understand that cacert is more "open sourcy" than
godaddy, but if they're as much of a roadblock as the Trustees are in this case,
maybe going that route would enable us to move forward?

>> I think compared to self-signed, having cacert-certificates would be a big
>> improvement. Many other free software projects (and more and more other
>> pages) use cacert, so it becomes more and more likely that people will
>> already have the cacert-root-cert installed.
> I don't agree that it's a big improvement. If you read the bug above,
> you'll note that we did at one stage have a 'Gentoo CA' that Infra ran
> for generating certs.

It is a big improvement.  Not in security, but in perception.

Caleb

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] SSL-Certificates and CAcert

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1959 bytes --]

On Thu, Sep 27, 2007 at 06:47:36PM -0400, Caleb Tennis wrote:
> Is there a reason that my Godaddy suggestion in the bug isn't being considered? 
> Regardless of what you may think of them as a company, they offer the same free type
> of certificate to open source projects just like cacert, and with what looks to be
> considerable less overhead.  I understand that cacert is more "open sourcy" than
> godaddy, but if they're as much of a roadblock as the Trustees are in this case,
> maybe going that route would enable us to move forward?
See my comment #14, regarding regenerating the certs [1] each time the set
of SSL vhosts on a box changes. For mail services, this isn't really an
issue, but for web services it's a big one. Wildcards only work in
Mozilla, and nowhere else [2].

[1] http://wiki.cacert.org/wiki/VhostTaskForce#head-7236c4e2c9932ef42056b3ff6d367053081887de
[2] http://wiki.cacert.org/wiki/WildcardCertificates

> > I don't agree that it's a big improvement. If you read the bug above,
> > you'll note that we did at one stage have a 'Gentoo CA' that Infra ran
> > for generating certs.
> It is a big improvement.  Not in security, but in perception.
Ok, let's narrow this down for a moment.
Of the SSL-using services that Gentoo has, which do we care about for
users (NOT developers)? 
bugs.g.o and forums.g.o are the main two that I'm aware of.
Are there any others that get high traffic of security-clueless users?

If there aren't too many AND we can get a dedicated IP for each of those
services, I'd like to suggest the following, as an easily doable and
low-overhead (in terms of Trustees/paperwork) solution:

1. On the services identified, get extra IPs, and use the free GoDaddy certs.
2. On other services use the Gentoo-CA approach.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 321 bytes --]

[gentoo-dev] Re: SSL-Certificates and CAcert

[Duncan]

"Robin H. Johnson" <robbat2@gentoo.org> posted
20070928001048.GD1606@curie-int.orbis-terrarum.net, excerpted below, on 
Thu, 27 Sep 2007 17:10:48 -0700:

> If there aren't too many AND we can get a dedicated IP for each of those
> services, I'd like to suggest the following, as an easily doable and
> low-overhead (in terms of Trustees/paperwork) solution:
> 
> 1. On the services identified, get extra IPs, and use the free GoDaddy
> certs.
> 2. On other services use the Gentoo-CA approach.

There's probably a reason this won't work, since I've yet to see it 
brought up here and it's not mentioned on the bug either, but hey, I 
don't know said reason, and it's worth the shot...

Would it be possible to setup a gentoo-certs package, versioned like any 
other, with USE flags if necessary for installing where various browsers, 
etc can see them?

The idea being, any time a certificate changes you create a new version 
of gentoo-certs.  "Security-clueless" users can simply be told about this 
package, and should reasonably quickly get the idea of checking for an 
upgrade any time they get a security warning.  Certs in this package 
would then be accepted by default, while allowing users the option of 
installing the package or not, plus the possible USE flags, as well as 
configuring their browser manually to reject the certs, if desired.

That would be easier in some ways and harder in others, than setting up a 
full Gentoo-CA.  However, Gentoo devs deal with packages every day, while 
I doubt many deal with CA signing every day (umm... from the bug it looks 
like a couple devs do... enough anyway if not every day), so it might be 
more routine and thus easier for Gentoo to go the package route, even if 
it's harder in the absolute.

I'd think "you need to merge or update this package" would suffice for 
the "security-clueless", while the "security-clueful" already know the 
deal, so no big deal for them, tho it'd lessen the hassle factor for them 
as well.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] SSL-Certificates and CAcert

[Lars Weiler]

[-- Attachment #1: Type: text/plain, Size: 1103 bytes --]

* Robin H. Johnson <robbat2@gentoo.org> [07/09/27 15:11 -0700]:
> Go and read ALL of this bug:
> http://bugs.gentoo.org/show_bug.cgi?id=108944
> Pylon and myself, as folk in favour of CA-Cert tried to get the ball
> rolling to get Organization-level certs from CACert. It seems to have
> long blocked on trustees and paperwork - both on our side, and on the
> side of CACert (Inclusion in Mozilla is blocking on the CACert internal
> audit).

Funny thing, I just checked my CACert-account (as I had to
assure some other people) and found out that I'm listed as
"Org Admin" for gentoo.org, but with the comment "to be
completed".

I filed a request to CACert in March, but it seems that I
must have missed the response or they are waiting for the
paperwork by the foundation.  I'll look into the open issues
and will keep you informed about the process (preferably in
the named bug).

Regards, Lars

-- 
Lars Weiler  <pylon@gentoo.org>  +49-171-1963258
Instant Messaging     : pylon@jabber.ccc.de
Gentoo Linux PowerPC  : Developer
Gentoo Infrastructure : CVS/SVN Administrator

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] SSL-Certificates and CAcert

[Mike Williams]

On Friday 28 September 2007 01:10:48 Robin H. Johnson wrote:
> > Is there a reason that my Godaddy suggestion in the bug isn't being
> > considered? Regardless of what you may think of them as a company, they
> > offer the same free type of certificate to open source projects just like
> > cacert, and with what looks to be considerable less overhead.  I
> > understand that cacert is more "open sourcy" than godaddy, but if they're
> > as much of a roadblock as the Trustees are in this case, maybe going that
> > route would enable us to move forward?
>
> See my comment #14, regarding regenerating the certs [1] each time the set
> of SSL vhosts on a box changes. For mail services, this isn't really an
> issue, but for web services it's a big one. Wildcards only work in
> Mozilla, and nowhere else [2].
>
> [1]
> http://wiki.cacert.org/wiki/VhostTaskForce#head-7236c4e2c9932ef42056b3ff6d3
>67053081887de [2] http://wiki.cacert.org/wiki/WildcardCertificates

Wildcard certs work with all browsers, even wget and lynx, and one wildcard 
will cover anything *.gentoo.org, but not *.*.gentoo.org. No regeneration 
necessary.
That wiki page I believe only talks about *'s in different places, which is 
not supported.
I personally use the same wildcard cert for webmail via apache, imap/pop via 
courier, and SMTP.

-- 
Mike Williams
--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Re: SSL-Certificates and CAcert

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 500 bytes --]

On Fri, Sep 28, 2007 at 09:31:24AM +0000, Duncan wrote:
> Would it be possible to setup a gentoo-certs package, versioned like any 
> other, with USE flags if necessary for installing where various browsers, 
> etc can see them?
That fails/makes-it-complicated for somebody accessing the Gentoo SSL
services outside a Gentoo system.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 321 bytes --]

[gentoo-dev] Re: SSL-Certificates and CAcert

[Duncan]

"Robin H. Johnson" <robbat2@gentoo.org> posted
20070928224541.GE1606@curie-int.orbis-terrarum.net, excerpted below, on 
Fri, 28 Sep 2007 15:45:41 -0700:

> On Fri, Sep 28, 2007 at 09:31:24AM +0000, Duncan wrote:
>> Would it be possible to setup a gentoo-certs package, versioned like
>> any other, with USE flags if necessary for installing where various
>> browsers, etc can see them?
> That fails/makes-it-complicated for somebody accessing the Gentoo SSL
> services outside a Gentoo system.

Fair point.  Thanks.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

-- 
gentoo-dev@gentoo.org mailing list