<div dir="ltr">I dont believe any cert that *I* didnt set up.<div><br></div><div>What irritating is that I often have to go to some website on company orders, only to have my browser refuse to let me override the lock.</div><div><br></div><div>To me ALL CA USELESS!!!</div><div><br></div><div>How many hundred thousand bogus certs did Symantec sign?</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 28, 2019 at 1:07 AM Rick Moen <<a href="mailto:rick@linuxmafia.com">rick@linuxmafia.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Breaking threading because I didn't save a copy of Texx's post, and had<br>
to copy text out of the archives;<br>
<br>
Quoting Texx (<a href="mailto:texxgadget@gmail.com" target="_blank">texxgadget@gmail.com</a>):<br>
<br>
> Michael's post reminds me of a pet peeve (Think his name is Irving).<br>
> People go to the trouble of setting up certs, but cant be bothered to<br>
> renew them when they expire. To me, this makes certs TOTALLY F*****G<br>
> USELESS.<br>
<br>
Here's a question you may not have asked yourself: What is your basis<br>
for relying on an Web site cert that _hasn't_ expired?<br>
<br>
Most people's operational answer involves seeing a lock icon and<br>
inferring a CA attestation. Let's take that as true. Doing so moves<br>
the question one step back: Why do you have confidence in a cert that<br>
merely has a CA attestation?<br>
<br>
This is where most people answering these questions start wondering<br>
about the garden path they're on, and having doubts. THe bolder among<br>
them might say, somewhat tentatively 'I have reasonable faith in the <br>
CA my online bank does business with.' And maybe that faith is<br>
justified -- but the problem is that the lock icon doesn't say who<br>
attests to this instance of the cert for the site claiming to be your<br>
online bank. All you know from the lock icon is that there's current<br>
attestation by a CA whose public signing key's in your Web browser's<br>
cert bundle. That's something like 300 CAs distributed all around the<br>
world, and some of those CAs have proven over the past 20 years to be<br>
extremely skeevy and/or inept and/or corrupt and/or subject to control<br>
of spook agencies (possibly among others) for nefarious purposes.<br>
<br>
So, if relying on Web broswers' normal visual indications of 'valid'<br>
https, you really have absolutely no idea which of those 300+ CAs <br>
are attesting to this cert. It might be a completely different cert<br>
from the one you loaded half an hour ago when you last visited your<br>
online banking, and it might be for an imposter Web site being operated<br>
in Cyprus by a gang of criminals who've sought out and paid the least<br>
honest and reputable of the world's 300+ CAs to forge your bank's SSL<br>
cert. And maybe you're sitting in a Starbuck's whose cheap border<br>
router has been zombified by those crooks to send requests for your<br>
bank's Web site to the fraud site in Cyprus. You'd literally not be<br>
able to tell, because the conventional Web browser usage model puts <br>
full trust into all CAs' signing keys and tells the user nothing about<br>
suspicious changse.<br>
<br>
(Michael has already hear past iterations of this speech, along with<br>
specific examples of why trusting all the CAs of the world is a dreadful<br>
idea, but you hadn't.)<br>
<br>
<br>
_______________________________________________<br>
conspire mailing list<br>
<a href="mailto:conspire@linuxmafia.com" target="_blank">conspire@linuxmafia.com</a><br>
<a href="http://linuxmafia.com/mailman/listinfo/conspire" rel="noreferrer" target="_blank">http://linuxmafia.com/mailman/listinfo/conspire</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><br>R "Texx" Woodworth<br>Sysadmin, E-Postmaster, IT Molewhacker<br>"Face down, 9 edge 1st, roadkill on the information superdata highway..."<br></div>