public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)
  @ 2021-06-01 13:22 99%         ` Rich Freeman
  0 siblings, 0 replies; 1+ results
From: Rich Freeman @ 2021-06-01 13:22 UTC (permalink / raw
  To: gentoo-user

On Tue, Jun 1, 2021 at 8:16 AM Michael Orlitzky <mjo@gentoo.org> wrote:
>
> On Tue, 2021-06-01 at 13:02 +0100, Peter Humphrey wrote:
> >
> > So what would you recommend for someone in the case Joost cites? I'm in that
> > position, being a home user of a small network but no registered Internet
> > name.
> >
>
> A self-signed certificate combined with a browser extension that lets
> you "pin" it. With pinning, you can keep your browser usable on the WWW
> while still rejecting any forged certificates for your own hosts. The
> end result works pretty much like SSH keys do.

Can't really argue with this.  However, for those who aren't
completely following along it is probably worth pointing out that the
way you're doing it is different from how 99.999% of the way the world
is doing it.

So, if you're talking about securing communications between hosts you
control what mjo suggests is a much better solution than the standard
solution (at least security-wise).  There are probably better ways to
do it, but not much that is standard.

However, if you're working with others then that solution isn't such a
good one, as it isn't really standard.  That said, it isn't uncommon
for more sophisticated companies to pin certificates from their
partners so that a random CA can't do an end-run around security.  I
have vendors I work with who regularly send out notices of pending
certificate changes to technical contacts to allow for this.

Really though the entire SSL CA infrastructure needs a massive
overhaul.  Using something like DNSSEC as a trust root would be one
way to go about it.  Another might be to restrict the scope that CAs
could sign within and have some way to automate that.  Self-signed
certs aren't a good solution for the average user and no SSL is an
even worse one (at best it removes security theater, but at the cost
of allowing attackers to not even bother with subverting the CA
system, which opens up a lot more attacks).  Right now you can browse
using SSL to army.mil for the first time and in theory your browser
won't complain if the certificate is signed by the PLA...

-- 
Rich


^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2021-05-29  1:08     [gentoo-user] app-misc/ca-certificates zcampe
2021-06-01 11:17     ` Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) J. Roeleveld
2021-06-01 11:40       ` Michael Orlitzky
2021-06-01 12:02         ` Peter Humphrey
2021-06-01 12:16           ` Michael Orlitzky
2021-06-01 13:22 99%         ` Rich Freeman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox