public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: William Kenworthy <billk@iinet.net.au>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] app-misc/ca-certificates
Date: Tue, 1 Jun 2021 13:15:00 +0800	[thread overview]
Message-ID: <61db8745-dbb4-9c7e-80a9-6725905178c4@iinet.net.au> (raw)
In-Reply-To: <5480288.DvuYhMxLoT@iris>


On 1/6/21 12:45 pm, J. Roeleveld wrote:
> On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote:
>> On Sat, May 29, 2021 at 03:08:39AM +0200, zcampe@gmail.com wrote
>>
>>> 125 config files in /etc/ssl/certs needs update.
>>>
>>> For certificates I would expect the old and invalid ones to be replaced
>>> by newer ones without user intervention.
>>   Looking through them is "interesting".  There seem to be a lot of
>> /etc/ssl/certs/????????.0 files, where "?" is either a random number or
>> a lower case letter.  These all seem to be symlinks to
>> /etc/ssl/certs/<Some_Name>.pem.  Each of those files is in turn a
>> symlink to /usr/share/ca-certificates/mozilla/<Some_Name>.crt.  How much
>> do we trust China?  There are a couple of certificates in there named
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt  and
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt.  Any
>> other suspicious regimes in there?
> I've always wondered about the amount of CAs that are auto-trusted on any 
> system. Including several from countries with serious human rights issues.
>
> I could do with a tool where I can easily select which CAs to trust based on 
> country.
>
> --
> Joost


And another "wondering" - all the warnings about trusting self signed
certs seem a bit self serving. Yes, they are trying to certify who you
are, but at the expense of probably allowing access to your
communications by "authorised parties" (such as commercial entities
purchasing access for MITM access - e.g. certain router/firewall
companies doing deep inspection of SSL via resigning or owning both end
points). If its only your own communications and not with a third,
commercial party self signed seems a lot more secure.

Getting a bit OT, but interesting none the less.

BillK

Ref:

https://checkthefirewall.com/blogs/fortinet/ssl-inspection

https://us-cert.cisa.gov/ncas/alerts/TA17-075A



  reply	other threads:[~2021-06-01  5:15 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-29  1:08 [gentoo-user] app-misc/ca-certificates zcampe
2021-05-29  6:26 ` Walter Dnes
2021-06-01  4:45   ` J. Roeleveld
2021-06-01  5:15     ` William Kenworthy [this message]
2021-06-01 10:44       ` Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) karl
2021-06-01 11:17         ` J. Roeleveld
2021-06-01 11:40           ` Michael Orlitzky
2021-06-01 12:02             ` Peter Humphrey
2021-06-01 12:16               ` Michael Orlitzky
2021-06-01 12:24                 ` Peter Humphrey
2021-06-01 13:22                 ` Rich Freeman
2021-06-01 13:17             ` karl
2021-06-01 13:20               ` karl
2021-06-01 13:17           ` karl
2021-06-01 11:59       ` [gentoo-user] app-misc/ca-certificates Adam Carter
2021-06-01 13:29         ` Rich Freeman
2021-06-02  1:13           ` William Kenworthy
2021-06-03  9:06           ` Adam Carter
2021-06-01 21:25       ` Grant Taylor
2021-06-01 21:38         ` Michael Orlitzky
2021-06-02  1:51           ` Grant Taylor
2021-06-02  7:21             ` J. Roeleveld
2021-06-02 20:22               ` Grant Taylor
2021-06-02  7:48             ` Fannys
2021-06-02 20:23               ` Grant Taylor
2021-06-01 22:28     ` Fannys
2021-06-02  7:23       ` J. Roeleveld
2021-06-01 21:05   ` Grant Taylor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=61db8745-dbb4-9c7e-80a9-6725905178c4@iinet.net.au \
    --to=billk@iinet.net.au \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox