public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* Re: [gentoo-user] app-misc/ca-certificates
  @ 2021-06-01  5:15 99%     ` William Kenworthy
  0 siblings, 0 replies; 1+ results
From: William Kenworthy @ 2021-06-01  5:15 UTC (permalink / raw
  To: gentoo-user


On 1/6/21 12:45 pm, J. Roeleveld wrote:
> On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote:
>> On Sat, May 29, 2021 at 03:08:39AM +0200, zcampe@gmail.com wrote
>>
>>> 125 config files in /etc/ssl/certs needs update.
>>>
>>> For certificates I would expect the old and invalid ones to be replaced
>>> by newer ones without user intervention.
>>   Looking through them is "interesting".  There seem to be a lot of
>> /etc/ssl/certs/????????.0 files, where "?" is either a random number or
>> a lower case letter.  These all seem to be symlinks to
>> /etc/ssl/certs/<Some_Name>.pem.  Each of those files is in turn a
>> symlink to /usr/share/ca-certificates/mozilla/<Some_Name>.crt.  How much
>> do we trust China?  There are a couple of certificates in there named
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt  and
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt.  Any
>> other suspicious regimes in there?
> I've always wondered about the amount of CAs that are auto-trusted on any 
> system. Including several from countries with serious human rights issues.
>
> I could do with a tool where I can easily select which CAs to trust based on 
> country.
>
> --
> Joost


And another "wondering" - all the warnings about trusting self signed
certs seem a bit self serving. Yes, they are trying to certify who you
are, but at the expense of probably allowing access to your
communications by "authorised parties" (such as commercial entities
purchasing access for MITM access - e.g. certain router/firewall
companies doing deep inspection of SSL via resigning or owning both end
points). If its only your own communications and not with a third,
commercial party self signed seems a lot more secure.

Getting a bit OT, but interesting none the less.

BillK

Ref:

https://checkthefirewall.com/blogs/fortinet/ssl-inspection

https://us-cert.cisa.gov/ncas/alerts/TA17-075A



^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2021-05-29  1:08     [gentoo-user] app-misc/ca-certificates zcampe
2021-05-29  6:26     ` Walter Dnes
2021-06-01  4:45       ` J. Roeleveld
2021-06-01  5:15 99%     ` William Kenworthy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox