| 1 |
> On Thu, Sep 27, 2007 at 05:23:26PM +0200, Hanno B??ck wrote: |
| 2 |
>> Well, I hope I don't have to tell that self-signed certs are not really good |
| 3 |
>> security policy. |
| 4 |
> Whether or not self-signed certs are secure or insecure depends entirely |
| 5 |
> on your definition of 'secure'. |
| 6 |
> - Is the traffic encrypted between your machine and the server? |
| 7 |
> Always, regardless of it being a self-signed or self-CA, or external CA. |
| 8 |
> - Can you be sure that there is no MITM attack? |
| 9 |
> Only if you trust the CA _OR_ you know in advance the SSL fingerprint. |
| 10 |
> |
| 11 |
> Knowing the SSL fingerprint is trivial, if you login to machines with |
| 12 |
> SSH, you are be doing this every day. |
| 13 |
|
| 14 |
Yes, you and I and most other technical people know and understand this. But how |
| 15 |
many end users know or care that their traffic to bugzilla is being safely |
| 16 |
encrypted? And how many are going to have worry and or doubt when they get a popup |
| 17 |
telling them that some kind of security certificate may not be valid. It's |
| 18 |
definitely a red flag. |
| 19 |
|
| 20 |
>> I think most of you know that there's CAcert, a "free" certificate authority. |
| 21 |
>> While it's sadly not free in a "free software" sense (their own software |
| 22 |
>> isn't released under a free license, though I hope that will change at some |
| 23 |
>> point in the future), it uses a web-of-trust-based concept for trust and |
| 24 |
>> issues certificates with no costs. |
| 25 |
> Go and read ALL of this bug: |
| 26 |
> http://bugs.gentoo.org/show_bug.cgi?id=108944 |
| 27 |
> Pylon and myself, as folk in favour of CA-Cert tried to get the ball |
| 28 |
> rolling to get Organization-level certs from CACert. It seems to have |
| 29 |
> long blocked on trustees and paperwork - both on our side, and on the |
| 30 |
> side of CACert (Inclusion in Mozilla is blocking on the CACert internal |
| 31 |
> audit). |
| 32 |
|
| 33 |
Is there a reason that my Godaddy suggestion in the bug isn't being considered? |
| 34 |
Regardless of what you may think of them as a company, they offer the same free type |
| 35 |
of certificate to open source projects just like cacert, and with what looks to be |
| 36 |
considerable less overhead. I understand that cacert is more "open sourcy" than |
| 37 |
godaddy, but if they're as much of a roadblock as the Trustees are in this case, |
| 38 |
maybe going that route would enable us to move forward? |
| 39 |
|
| 40 |
>> I think compared to self-signed, having cacert-certificates would be a big |
| 41 |
>> improvement. Many other free software projects (and more and more other |
| 42 |
>> pages) use cacert, so it becomes more and more likely that people will |
| 43 |
>> already have the cacert-root-cert installed. |
| 44 |
> I don't agree that it's a big improvement. If you read the bug above, |
| 45 |
> you'll note that we did at one stage have a 'Gentoo CA' that Infra ran |
| 46 |
> for generating certs. |
| 47 |
|
| 48 |
It is a big improvement. Not in security, but in perception. |
| 49 |
|
| 50 |
Caleb |
| 51 |
|
| 52 |
-- |
| 53 |
gentoo-dev@g.o mailing list |
Archives