From: Michael Orlitzky <michael@orlitzky.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Internet security.
Date: Mon, 09 Sep 2013 10:00:25 -0400 [thread overview]
Message-ID: <522DD479.80001@orlitzky.com> (raw)
In-Reply-To: <CAGBogHzes3c2XnKvKthrjLaVviFpqOpMo-w3xLWn=3ZZ6tNjMw@mail.gmail.com>
On 09/09/2013 03:19 AM, Pavel Volkov wrote:
> On Mon, Sep 9, 2013 at 6:05 AM, Michael Orlitzky <michael@orlitzky.com
> <mailto:michael@orlitzky.com>> wrote:
>
> The CA infrastructure was never secure. It exists to transfer money away
> from website owners and into the bank accounts of the CAs and browser
> makers. Security may be one of their goals, but it's certainly not the
> motivating one.
>
>
> Well, at least CAcert doesn't exist for money.
>
You sort of make my point for me:
If you want to access a website that uses a SSL certificate signed by
CAcert, you might get an SSL warning. We are sorry, but currently
that's still 'normal' as mainstream browsers don't automatically
include the CAcert Root Certificate yet. [1]
So, CACert certificates don't eliminate the browser warning, which is
the only reason you would ever pay for a certificate in the first place.
But why don't browsers include CACert?
Traditionally vendors seeking to have their root certificates
included in browsers (directly or via the underlying OS
infrastructure like Safari via OS X's Keychain) would have to seek an
expensive Webtrust audit (~$75,000 up-front plus ~$10,000 per
year). [2]
They don't pay up! So I wouldn't include CACert in my blanket statement,
but they're not really part of the CA infrastructure and you might as
well use a self-signed cert instead if you're gonna get a warning anyway.
> I've got a question about Gentoo in this case. If we assume that stage3
> is trusted, does portage check that mirrors are trusted?
No. There's a GLEP for some of these issues:
https://www.gentoo.org/proj/en/glep/glep-0057.html
The relevant part is,
...any non-Gentoo controlled rsync mirror can modify executable code;
as much of this code is per default run as root a malicious mirror
could compromise hundreds of systems per day - if cloaked well
enough, such an attack could run for weeks before being noticed.
[1] http://wiki.cacert.org/FAQ/BrowserClients
[2] http://wiki.cacert.org/InclusionStatus
next prev parent reply other threads:[~2013-09-09 14:00 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-09 1:33 [gentoo-user] Internet security Dale
2013-09-09 2:05 ` Michael Orlitzky
2013-09-09 5:28 ` Mick
2013-09-09 13:42 ` Michael Orlitzky
2013-09-09 18:07 ` Mick
2013-09-09 19:24 ` Michael Orlitzky
2013-09-10 5:33 ` Mick
2013-09-09 6:50 ` Adam Carter
2013-09-09 13:48 ` Michael Orlitzky
2013-09-09 7:19 ` Pavel Volkov
2013-09-09 14:00 ` Michael Orlitzky [this message]
2013-09-09 17:36 ` Pavel Volkov
2013-09-09 17:51 ` Michael Orlitzky
2013-09-09 5:37 ` Mick
2013-09-09 9:36 ` thegeezer
2013-09-09 11:08 ` Bruce Hill
2013-09-09 11:22 ` thegeezer
2013-09-09 14:28 ` Hinnerk van Bruinehsen
2013-09-09 15:30 ` thegeezer
2013-09-09 16:04 ` Hinnerk van Bruinehsen
2013-09-09 16:41 ` thegeezer
2013-09-09 15:30 ` Dale
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=522DD479.80001@orlitzky.com \
--to=michael@orlitzky.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox