1 |
On 1/6/21 12:45 pm, J. Roeleveld wrote: |
2 |
> On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote: |
3 |
>> On Sat, May 29, 2021 at 03:08:39AM +0200, zcampe@×××××.com wrote |
4 |
>> |
5 |
>>> 125 config files in /etc/ssl/certs needs update. |
6 |
>>> |
7 |
>>> For certificates I would expect the old and invalid ones to be replaced |
8 |
>>> by newer ones without user intervention. |
9 |
>> Looking through them is "interesting". There seem to be a lot of |
10 |
>> /etc/ssl/certs/????????.0 files, where "?" is either a random number or |
11 |
>> a lower case letter. These all seem to be symlinks to |
12 |
>> /etc/ssl/certs/<Some_Name>.pem. Each of those files is in turn a |
13 |
>> symlink to /usr/share/ca-certificates/mozilla/<Some_Name>.crt. How much |
14 |
>> do we trust China? There are a couple of certificates in there named |
15 |
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and |
16 |
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any |
17 |
>> other suspicious regimes in there? |
18 |
> I've always wondered about the amount of CAs that are auto-trusted on any |
19 |
> system. Including several from countries with serious human rights issues. |
20 |
> |
21 |
> I could do with a tool where I can easily select which CAs to trust based on |
22 |
> country. |
23 |
> |
24 |
> -- |
25 |
> Joost |
26 |
|
27 |
|
28 |
And another "wondering" - all the warnings about trusting self signed |
29 |
certs seem a bit self serving. Yes, they are trying to certify who you |
30 |
are, but at the expense of probably allowing access to your |
31 |
communications by "authorised parties" (such as commercial entities |
32 |
purchasing access for MITM access - e.g. certain router/firewall |
33 |
companies doing deep inspection of SSL via resigning or owning both end |
34 |
points). If its only your own communications and not with a third, |
35 |
commercial party self signed seems a lot more secure. |
36 |
|
37 |
Getting a bit OT, but interesting none the less. |
38 |
|
39 |
BillK |
40 |
|
41 |
Ref: |
42 |
|
43 |
https://checkthefirewall.com/blogs/fortinet/ssl-inspection |
44 |
|
45 |
https://us-cert.cisa.gov/ncas/alerts/TA17-075A |