From: Adam Carter <adamcarter3@gmail.com>
To: Gentoo User <gentoo-user@lists.gentoo.org>
Subject: Re: [gentoo-user] app-misc/ca-certificates
Date: Tue, 1 Jun 2021 21:59:15 +1000 [thread overview]
Message-ID: <CAC=wYCFDkSkHuCKF_GSUFVWZxVNiTNduH1HvFLQ3cmQYgrTcYg@mail.gmail.com> (raw)
In-Reply-To: <61db8745-dbb4-9c7e-80a9-6725905178c4@iinet.net.au>
[-- Attachment #1: Type: text/plain, Size: 1455 bytes --]
>
> And another "wondering" - all the warnings about trusting self signed
> certs seem a bit self serving. Yes, they are trying to certify who you
> are, but at the expense of probably allowing access to your
> communications by "authorised parties" (such as commercial entities
> purchasing access for MITM access - e.g. certain router/firewall
> companies doing deep inspection of SSL via resigning or owning both end
> points).
CAs who issue such dodgy certs tend to get booted from certificate stores,
since they cannot be trusted.
https://wiki.mozilla.org/CA:Symantec_Issues#Issue_D:_Test_Certificate_Misissuance_.28April_2009_-_September_2015.29
https://en.wikipedia.org/wiki/Certificate_Transparency helps keep CAs
honest.
The way i like to frame it is "any certificate should only be trusted as
much as the *least* trustworthy CA in your certificate store"
AFAIK in an enterprise MITM works by having a local CA added to the cert
stores of the workstation fleet, and having that CA auto generate the certs
for MITM. That didn't work with certificate pinning, but pinning has been
deprecated.
> If its only your own communications and not with a third,
> commercial party self signed seems a lot more secure.
>
Yes, I imagine there are some circumstances where it would make sense to
remove all the certs from your certificate store and then just add your
local CA's cert. In this case, the least trustworthy CA in the store is
your own :)
[-- Attachment #2: Type: text/html, Size: 2200 bytes --]
next prev parent reply other threads:[~2021-06-01 11:59 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-29 1:08 [gentoo-user] app-misc/ca-certificates zcampe
2021-05-29 6:26 ` Walter Dnes
2021-06-01 4:45 ` J. Roeleveld
2021-06-01 5:15 ` William Kenworthy
2021-06-01 10:44 ` Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) karl
2021-06-01 11:17 ` J. Roeleveld
2021-06-01 11:40 ` Michael Orlitzky
2021-06-01 12:02 ` Peter Humphrey
2021-06-01 12:16 ` Michael Orlitzky
2021-06-01 12:24 ` Peter Humphrey
2021-06-01 13:22 ` Rich Freeman
2021-06-01 13:17 ` karl
2021-06-01 13:20 ` karl
2021-06-01 13:17 ` karl
2021-06-01 11:59 ` Adam Carter [this message]
2021-06-01 13:29 ` [gentoo-user] app-misc/ca-certificates Rich Freeman
2021-06-02 1:13 ` William Kenworthy
2021-06-03 9:06 ` Adam Carter
2021-06-01 21:25 ` Grant Taylor
2021-06-01 21:38 ` Michael Orlitzky
2021-06-02 1:51 ` Grant Taylor
2021-06-02 7:21 ` J. Roeleveld
2021-06-02 20:22 ` Grant Taylor
2021-06-02 7:48 ` Fannys
2021-06-02 20:23 ` Grant Taylor
2021-06-01 22:28 ` Fannys
2021-06-02 7:23 ` J. Roeleveld
2021-06-01 21:05 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAC=wYCFDkSkHuCKF_GSUFVWZxVNiTNduH1HvFLQ3cmQYgrTcYg@mail.gmail.com' \
--to=adamcarter3@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox