Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 2 Jun 2012 16:53:35 -0600
From:      Chad Perrin <code@apotheon.net>
To:        freebsd-ports@freebsd.org
Subject:   Re: Please rebuild all ports that depend on PNG
Message-ID:  <20120602225148.GA8486@hemlock.hydra>
In-Reply-To: <20120602140703.004264ea@scorpio>
References:  <CAGFTUwMo51dWxM2p4STaqt-=NjzEuUH5U6nmbiuzVMtK6_W3dQ@mail.gmail.com> <20120602122658.0f86debc@scorpio> <CADLo8388dHiEZCxdXz9A=Ur5qPVzcfbxh43ZGgzfkbWk9r%2B%2BJg@mail.gmail.com> <20120602140703.004264ea@scorpio>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 02, 2012 at 02:07:03PM -0400, Jerry wrote:
> On Sat, 2 Jun 2012 17:34:59 +0100 Chris Rees articulated:
> >
> >It just means he hasn't bought a certificate- no less trustworthy than
> >vanilla (non-SSL) http.
> 
> IMHO, if you are going to use "https" then you should have a proper SSL
> certificate. A self-signed one means virtually nothing. If the web site
> operator is not going to purchase an authentic certificate they why
> use SSL at all? Just my 2¢ on the matter.

1. SSL means encrypted, regardless of who signs the certificate.

2. Using a known CA for certificate signing means a third party with
enough clout to get added to a list of known CAs vouches for the
certificate (or that someone else has somehow compromised that third
party's cert signing resources).

3. Many "trusted" widely-known CAs have questionable policies with regard
to certificate signing, and often use very weak ciphers for cert signing.
On several occasions, government agencies and malicious security crackers
have been found using bogus certs that verify as signed by "legitimate"
CAs.

4. Regardless of who signs a cert, you still have to trust the site
operators to some extent, because the encryption certainly doesn't stop
*them* from getting the information you're sending, so in principle a
self-signed cert is not in any way an indication of any lesser
trustworthiness.

5. As long as you can get trustworthy confirmation of the provenance of a
given cert's signature, you can verify the cert as authentic for the site
in question, subject to the limitations of the technology used.

The not-quite-obvious (to many, at least) consequence of the above is
that the entire PKI system used by CAs for SSL is what amounts to a
vacant lot scam.  This is where a vacant parking lot -- owned by someone
who is not making (much) use of it on a given occasion -- is "claimed" by
someone wearing something like a valet uniform, who takes money in
exchange for parking someone's car in the lot but actually has no
relationship with the lot owner at all.  The result is that people
parking in the lot are being charged money for the promise of something
(official, property-owner permission to park there, plus responsible care
for the vehicles in question) that to some extent the person charging the
money is not in a position to offer.

The analogous condition in this case is that the well-known CAs are
promising security and privacy that can be gotten by other, cheaper
means, but to some extent do not even provide as high quality a guarantee
as they would like you to think.  Alternate verification infrastructures
such as Monkeysphere and (my favorite, in terms of design principles)
Perspectives provide roughly equivalent security value, and if they reach
a threshhold of user density would exceed the security value of CA-signed
certificates as a basis for verification.  In addition to this, simply
posting cert signature data publicly for out-of-band comparison could
greatly enhance the verifiability of SSL site certificates, as with an
OpenPGP public key.

In fact, many of the weaknesses of SSL systems as currently designed
could be obviated by having used OpenPGP as the basis of the system
rather than creating this whole PKI system for the sole purpose of making
corporate CAs seem "necessary" as imaginary authorities who claim to be
able to provide special "security" guarantees.

So . . . your opinion may be that a self-signed sertificate "means
virtually nothing", but security in the real world does not operate on
unfounded opinions.

-- 
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120602225148.GA8486>