Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> Beware of trusting SSL / HTTPS, CA caught selling wildcard certificates
tux99
 Posted: Feb 7 2012, 08:33 PM
Quote Post


SLF Moderator
********

Group: Moderators
Posts: 1277
Member No.: 224
Joined: 28-May 11









Have you ever wondered why you should trust all those hundreds of CAs (or any of them) included by default in your browser?

Well you shouldn't!

QUOTE
Trustwave issued a man-in-the-middle certificate

Certificate authority Trustwave issued a certificate to a company allowing it to issue valid certificates for any server. This enabled the company to listen in on encrypted traffic sent and received by its staff using services such as Google and Hotmail.

[...]

Security experts and privacy advocates have been warning for a while that any CA and any sub-CA authorised by it are able to issue certificates for any server. This is a cause of particular concern in the case of some government CAs, where there is every likelihood that they could assist with monitoring activities. This is the first case that we are aware of where a respectable certificate authority has enabled third parties to issue arbitrary SSL server certificates for monitoring purposes. Trustwave claims, however, that this is common practice among other root CAs.

Read full article here: http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html

--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
John Cuppi
 Posted: Feb 14 2012, 06:23 PM
Quote Post


SLF Admin Team
***

Group: Admins
Posts: 144
Member No.: 15
Joined: 10-April 11









Yet another reason why I hate the whole "certificate" system. This isn't the first time there's been a case of a cert authority issuing a nasty cert and won't be the last.
PMUsers Website
^
log69
 Posted: Mar 3 2012, 06:27 PM
Quote Post


SLF Member
***

Group: Members
Posts: 94
Member No.: 1325
Joined: 24-February 12









Also, the problem is even a bit bigger than that IMHO. Even if the CA doesn't give out such certs or keys, we still have to trust their whole IT environment. AFAIK Comodo was on the news a year or even less ago with stolen signing keys from them.

So the problem is that the weakest chain gives sometimes the whole reliability of the system. In the case of the CAs, we have to take their whole infrastructures with all the people with all their own computing stuffs into account to try to measure the security as a whole. Can they really guarantee that nobody can really ever steal their private keys from any of their machines? Can they really close all tiny doors to block that from happening and close out human mistakes? Or if it happens so, will they surely always know about it? Will they disclose it?

Well, it's an interesting question for sure.
PM
^
wearetheborg
 Posted: May 21 2012, 06:13 PM
Quote Post


SLF Geek
****

Group: Members
Posts: 249
Member No.: 18
Joined: 11-April 11









QUOTE (log69 @ Mar 3 2012, 01:27 PM)
Also, the problem is even a bit bigger than that IMHO. Even if the CA doesn't give out such certs or keys, we still have to trust their whole IT environment. AFAIK Comodo was on the news a year or even less ago with stolen signing keys from them.

So the problem is that the weakest chain gives sometimes the whole reliability of the system. In the case of the CAs, we have to take their whole infrastructures with all the people with all their own computing stuffs into account to try to measure the security as a whole. Can they really guarantee that nobody can really ever steal their private keys from any of their machines? Can they really close all tiny doors to block that from happening and close out human mistakes? Or if it happens so, will they surely always know about it? Will they disclose it?

Well, it's an interesting question for sure.



Good point. IMHO, we can only trust what is running on our computers (if all all). Use GPG or other encryption to secure data.

--------------------
PM
^
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll