From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3F0A91382C5 for ; Wed, 2 Jun 2021 07:21:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D8331E087E; Wed, 2 Jun 2021 07:21:41 +0000 (UTC) Received: from gw2.antarean.org (gw2.antarean.org [141.105.125.208]) by pigeon.gentoo.org (Postfix) with ESMTP id E7279E081A for ; Wed, 2 Jun 2021 07:21:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by gw2.antarean.org (Postfix) with ESMTP id 4Fw0k43YSSz8vVT for ; Wed, 2 Jun 2021 09:18:20 +0200 (CEST) X-Virus-Scanned: amavisd-new at antarean.org Received: from gw2.antarean.org ([127.0.0.1]) by localhost (gw2.antarean.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-2xtCSKCsdB for ; Wed, 2 Jun 2021 09:18:20 +0200 (CEST) Received: from mailstore1.adm.antarean.org (localhost [127.0.0.1]) by gw2.antarean.org (Postfix) with ESMTP id 4Fw0k41J03z8vVD for ; Wed, 2 Jun 2021 09:18:20 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mailstore1.adm.antarean.org (Postfix) with ESMTP id 4Fw0nt66yGz15 for ; Wed, 2 Jun 2021 09:21:38 +0200 (CEST) X-Virus-Scanned: amavisd-new at antarean.org Received: from mailstore1.adm.antarean.org ([127.0.0.1]) by localhost (mailstore1.adm.antarean.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gL5k2kyHfjUJ for ; Wed, 2 Jun 2021 09:21:38 +0200 (CEST) Received: from iris.localnet (iris.adm.antarean.org [10.55.16.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailstore1.adm.antarean.org (Postfix) with ESMTPSA id 4Fw0nt4THpzj for ; Wed, 2 Jun 2021 09:21:38 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=antarean.org; s=default; t=1622618498; bh=5i5CGMYZARLqdYLx/OTmx8wvaB7Cgzg8E+vfpq7OCpM=; h=From:To:Subject:Date:In-Reply-To:References; b=cj7/f6SpLbzYyrk/b0PlLBBcK7hPHwisghbXkw4c3oVp3gnBVbshM5/B1+GRUf3ah Db5lFTApmRrmMzHuF//4mJkeh1Ouxia3MBP0rnvT7C3Ex+tXSqwmTQvTW7Q+cUTs8h Rm0Ewn5we1WIdNrWUaEskZyXwdXc3vbV2CHkh/dI= From: "J. Roeleveld" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] app-misc/ca-certificates Date: Wed, 02 Jun 2021 09:21:38 +0200 Message-ID: <2584277.mvXUDI8C0e@iris> In-Reply-To: <5f29a4f8-a1a5-9f4a-1fe2-f06172da8e6b@spamtrap.tnetconsulting.net> References: <20210529030839.123d8526@melika.host77.tld> <5f29a4f8-a1a5-9f4a-1fe2-f06172da8e6b@spamtrap.tnetconsulting.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Archives-Salt: de6233cb-a5ba-4e10-843a-0a459d828edd X-Archives-Hash: d46601c07cc369f7dbc1640a01373b80 On Wednesday, June 2, 2021 3:51:06 AM CEST Grant Taylor wrote: > On 6/1/21 3:38 PM, Michael Orlitzky wrote: > > All browsers will treat their fake certificate corresponding to the > > fake key on their fake web server as completely legitimate. The "real" > > original key that you generated has no special technical properties > > that distinguish it. > > Not /all/ browsers. I know people that have run browser extensions to > validate the TLS certificate that they receive against records published > via DANE in DNS, which is protected by DNSSEC. So it's effectively > impossible for a rogue CA and malicious actor to violate that chain of > trust in a way that can't be detected and acted on. Do you know which extensions add this?