Gentoo Archives: gentoo-user

From: Rich Freeman <rich0@g.o>
To: gentoo-user@l.g.o
Subject: Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates)
Date: Tue, 01 Jun 2021 13:22:53
In Reply to: Re: Letsencrypt (was Re: [gentoo-user] app-misc/ca-certificates) by Michael Orlitzky
1 On Tue, Jun 1, 2021 at 8:16 AM Michael Orlitzky <mjo@g.o> wrote:
2 >
3 > On Tue, 2021-06-01 at 13:02 +0100, Peter Humphrey wrote:
4 > >
5 > > So what would you recommend for someone in the case Joost cites? I'm in that
6 > > position, being a home user of a small network but no registered Internet
7 > > name.
8 > >
9 >
10 > A self-signed certificate combined with a browser extension that lets
11 > you "pin" it. With pinning, you can keep your browser usable on the WWW
12 > while still rejecting any forged certificates for your own hosts. The
13 > end result works pretty much like SSH keys do.
15 Can't really argue with this. However, for those who aren't
16 completely following along it is probably worth pointing out that the
17 way you're doing it is different from how 99.999% of the way the world
18 is doing it.
20 So, if you're talking about securing communications between hosts you
21 control what mjo suggests is a much better solution than the standard
22 solution (at least security-wise). There are probably better ways to
23 do it, but not much that is standard.
25 However, if you're working with others then that solution isn't such a
26 good one, as it isn't really standard. That said, it isn't uncommon
27 for more sophisticated companies to pin certificates from their
28 partners so that a random CA can't do an end-run around security. I
29 have vendors I work with who regularly send out notices of pending
30 certificate changes to technical contacts to allow for this.
32 Really though the entire SSL CA infrastructure needs a massive
33 overhaul. Using something like DNSSEC as a trust root would be one
34 way to go about it. Another might be to restrict the scope that CAs
35 could sign within and have some way to automate that. Self-signed
36 certs aren't a good solution for the average user and no SSL is an
37 even worse one (at best it removes security theater, but at the cost
38 of allowing attackers to not even bother with subverting the CA
39 system, which opens up a lot more attacks). Right now you can browse
40 using SSL to for the first time and in theory your browser
41 won't complain if the certificate is signed by the PLA...
43 --
44 Rich