1 |
On Tue, Jun 1, 2021 at 8:16 AM Michael Orlitzky <mjo@g.o> wrote: |
2 |
> |
3 |
> On Tue, 2021-06-01 at 13:02 +0100, Peter Humphrey wrote: |
4 |
> > |
5 |
> > So what would you recommend for someone in the case Joost cites? I'm in that |
6 |
> > position, being a home user of a small network but no registered Internet |
7 |
> > name. |
8 |
> > |
9 |
> |
10 |
> A self-signed certificate combined with a browser extension that lets |
11 |
> you "pin" it. With pinning, you can keep your browser usable on the WWW |
12 |
> while still rejecting any forged certificates for your own hosts. The |
13 |
> end result works pretty much like SSH keys do. |
14 |
|
15 |
Can't really argue with this. However, for those who aren't |
16 |
completely following along it is probably worth pointing out that the |
17 |
way you're doing it is different from how 99.999% of the way the world |
18 |
is doing it. |
19 |
|
20 |
So, if you're talking about securing communications between hosts you |
21 |
control what mjo suggests is a much better solution than the standard |
22 |
solution (at least security-wise). There are probably better ways to |
23 |
do it, but not much that is standard. |
24 |
|
25 |
However, if you're working with others then that solution isn't such a |
26 |
good one, as it isn't really standard. That said, it isn't uncommon |
27 |
for more sophisticated companies to pin certificates from their |
28 |
partners so that a random CA can't do an end-run around security. I |
29 |
have vendors I work with who regularly send out notices of pending |
30 |
certificate changes to technical contacts to allow for this. |
31 |
|
32 |
Really though the entire SSL CA infrastructure needs a massive |
33 |
overhaul. Using something like DNSSEC as a trust root would be one |
34 |
way to go about it. Another might be to restrict the scope that CAs |
35 |
could sign within and have some way to automate that. Self-signed |
36 |
certs aren't a good solution for the average user and no SSL is an |
37 |
even worse one (at best it removes security theater, but at the cost |
38 |
of allowing attackers to not even bother with subverting the CA |
39 |
system, which opens up a lot more attacks). Right now you can browse |
40 |
using SSL to army.mil for the first time and in theory your browser |
41 |
won't complain if the certificate is signed by the PLA... |
42 |
|
43 |
-- |
44 |
Rich |