[conspire] Risks ...

Texx texxgadget at gmail.com
Tue Apr 9 00:00:13 PDT 2019 

I dont believe any cert that *I* didnt set up.

What irritating is that I often have to go to some website on company
orders, only to have my browser refuse to let me override the lock.

To me ALL CA USELESS!!!

How many hundred thousand bogus certs did Symantec sign?

On Thu, Mar 28, 2019 at 1:07 AM Rick Moen <rick at linuxmafia.com> wrote:

> Breaking threading because I didn't save a copy of Texx's post, and had
> to copy text out of the archives;
>
> Quoting Texx (texxgadget at gmail.com):
>
> > Michael's post reminds me of a pet peeve (Think his name is Irving).
> > People go to the trouble of setting up certs, but cant be bothered to
> > renew them when they expire.  To me, this makes certs TOTALLY F*****G
> > USELESS.
>
> Here's a question you may not have asked yourself:  What is your basis
> for relying on an Web site cert that _hasn't_ expired?
>
> Most people's operational answer involves seeing a lock icon and
> inferring a CA attestation.  Let's take that as true.  Doing so moves
> the question one step back:  Why do you have confidence in a cert that
> merely has a CA attestation?
>
> This is where most people answering these questions start wondering
> about the garden path they're on, and having doubts.  THe bolder among
> them might say, somewhat tentatively 'I have reasonable faith in the
> CA my online bank does business with.'  And maybe that faith is
> justified -- but the problem is that the lock icon doesn't say who
> attests to this instance of the cert for the site claiming to be your
> online bank.  All you know from the lock icon is that there's current
> attestation by a CA whose public signing key's in your Web browser's
> cert bundle.  That's something like 300 CAs distributed all around the
> world, and some of those CAs have proven over the past 20 years to be
> extremely skeevy and/or inept and/or corrupt and/or subject to control
> of spook agencies (possibly among others) for nefarious purposes.
>
> So, if relying on Web broswers' normal visual indications of 'valid'
> https, you really have absolutely no idea which of those 300+ CAs
> are attesting to this cert.  It might be a completely different cert
> from the one you loaded half an hour ago when you last visited your
> online banking, and it might be for an imposter Web site being operated
> in Cyprus by a gang of criminals who've sought out and paid the least
> honest and reputable of the world's 300+ CAs to forge your bank's SSL
> cert.  And maybe you're sitting in a Starbuck's whose cheap border
> router has been zombified by those crooks to send requests for your
> bank's Web site to the fraud site in Cyprus.  You'd literally not be
> able to tell, because the conventional Web browser usage model puts
> full trust into all CAs' signing keys and tells the user nothing about
> suspicious changse.
>
> (Michael has already hear past iterations of this speech, along with
> specific examples of why trusting all the CAs of the world is a dreadful
> idea, but you hadn't.)
>
>
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
>


-- 

R "Texx" Woodworth
Sysadmin, E-Postmaster, IT Molewhacker
"Face down, 9 edge 1st, roadkill on the information superdata highway..."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20190409/c97d4add/attachment-0001.html>

More information about the conspire mailing list