Gentoo Archives: gentoo-user

From: "J. Roeleveld" <joost@××××××××.org>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] app-misc/ca-certificates
Date: Wed, 02 Jun 2021 07:21:48
Message-Id: 2584277.mvXUDI8C0e@iris
In Reply to: Re: [gentoo-user] app-misc/ca-certificates by Grant Taylor
1 On Wednesday, June 2, 2021 3:51:06 AM CEST Grant Taylor wrote:
2 > On 6/1/21 3:38 PM, Michael Orlitzky wrote:
3 > > All browsers will treat their fake certificate corresponding to the
4 > > fake key on their fake web server as completely legitimate. The "real"
5 > > original key that you generated has no special technical properties
6 > > that distinguish it.
7 >
8 > Not /all/ browsers. I know people that have run browser extensions to
9 > validate the TLS certificate that they receive against records published
10 > via DANE in DNS, which is protected by DNSSEC. So it's effectively
11 > impossible for a rogue CA and malicious actor to violate that chain of
12 > trust in a way that can't be detected and acted on.
14 Do you know which extensions add this?


Subject Author
Re: [gentoo-user] app-misc/ca-certificates Grant Taylor <gtaylor@×××××××××××××××××××××.net>