1 |
> On Thu, Sep 27, 2007 at 05:23:26PM +0200, Hanno B??ck wrote: |
2 |
>> Well, I hope I don't have to tell that self-signed certs are not really good |
3 |
>> security policy. |
4 |
> Whether or not self-signed certs are secure or insecure depends entirely |
5 |
> on your definition of 'secure'. |
6 |
> - Is the traffic encrypted between your machine and the server? |
7 |
> Always, regardless of it being a self-signed or self-CA, or external CA. |
8 |
> - Can you be sure that there is no MITM attack? |
9 |
> Only if you trust the CA _OR_ you know in advance the SSL fingerprint. |
10 |
> |
11 |
> Knowing the SSL fingerprint is trivial, if you login to machines with |
12 |
> SSH, you are be doing this every day. |
13 |
|
14 |
Yes, you and I and most other technical people know and understand this. But how |
15 |
many end users know or care that their traffic to bugzilla is being safely |
16 |
encrypted? And how many are going to have worry and or doubt when they get a popup |
17 |
telling them that some kind of security certificate may not be valid. It's |
18 |
definitely a red flag. |
19 |
|
20 |
>> I think most of you know that there's CAcert, a "free" certificate authority. |
21 |
>> While it's sadly not free in a "free software" sense (their own software |
22 |
>> isn't released under a free license, though I hope that will change at some |
23 |
>> point in the future), it uses a web-of-trust-based concept for trust and |
24 |
>> issues certificates with no costs. |
25 |
> Go and read ALL of this bug: |
26 |
> http://bugs.gentoo.org/show_bug.cgi?id=108944 |
27 |
> Pylon and myself, as folk in favour of CA-Cert tried to get the ball |
28 |
> rolling to get Organization-level certs from CACert. It seems to have |
29 |
> long blocked on trustees and paperwork - both on our side, and on the |
30 |
> side of CACert (Inclusion in Mozilla is blocking on the CACert internal |
31 |
> audit). |
32 |
|
33 |
Is there a reason that my Godaddy suggestion in the bug isn't being considered? |
34 |
Regardless of what you may think of them as a company, they offer the same free type |
35 |
of certificate to open source projects just like cacert, and with what looks to be |
36 |
considerable less overhead. I understand that cacert is more "open sourcy" than |
37 |
godaddy, but if they're as much of a roadblock as the Trustees are in this case, |
38 |
maybe going that route would enable us to move forward? |
39 |
|
40 |
>> I think compared to self-signed, having cacert-certificates would be a big |
41 |
>> improvement. Many other free software projects (and more and more other |
42 |
>> pages) use cacert, so it becomes more and more likely that people will |
43 |
>> already have the cacert-root-cert installed. |
44 |
> I don't agree that it's a big improvement. If you read the bug above, |
45 |
> you'll note that we did at one stage have a 'Gentoo CA' that Infra ran |
46 |
> for generating certs. |
47 |
|
48 |
It is a big improvement. Not in security, but in perception. |
49 |
|
50 |
Caleb |
51 |
|
52 |
-- |
53 |
gentoo-dev@g.o mailing list |