[aklug] Re: Tor + Firefox

From: Christopher Howard <christopher.howard@frigidcode.com>
Date: Tue Feb 14 2012 - 15:07:59 AKST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/14/2012 01:16 PM, Scott A. Johnson wrote:
> When you say wikipedia has a "valid" cert, what makes it valid?
> That some global CA signed it? Why do you trust the global CA?
> Or, did wikipedia self sign and you've chosen to trust their cert?
> How do you normally handle self-signed certs? Not saying you
> haven't properly configured trust/privacy on your machines, but
> pointing out that many people don't question certs when signed by
> the CA that are included with their browser by default.
>
> Scott
>

Wikipedia's cert is not self-signed, but is signed by DigiCert Inc. At
present, I do not accept any self-signed certificates.

I trust the global CA because it is practical to do so and still
maintain reasonable security expectations. Finding a certificate that
has been assigned by a global CA gives me a reasonable assurance that
the host I am communicating with is one operated by the person or
group that owns the domain I am attempting to contact. This is, of
course, because global CAs when issuing certificates will, at the
least, do a domain registration validation to ensure that the customer
has control over the domain he purports to own. Furthermore, global
CAs interest in preserving their reputations as CAs.

A self-signed certificate is not inherently insecure as far as the SSL
protocol itself is concerned, it just says very little about the
origin. One may accept self-signed certificates, but ideally only
after one has applied some reasonable method to ensure origin. For
example, if gentoo.org provided a self-signed certificate, I could
call the Gentoo foundation and ask them what the fingerprint of their
certificate was, and then make an exception for that specific
certificate. Though, I would be very annoyed with the Gentoo
foundation for making me go to all the trouble.

As to default browser certificates, of course there is a certain
amount of risk there that could be lessened by education, though I
imagine that for practical reasons the typical user is just as safe
accepting the browser default pack as he is trying to maintain his
own. In the case of Firefox, all the issues regarding which
certificates should be accepted or dropped are discussed publicly on
the dev-security-policy mailing list
<https://lists.mozilla.org/listinfo/dev-security-policy>. So you could
listen in and then delete or add individual certs from the pack if you
happened to disagree with a final decision.

So that, I think, is workable enough philosophy.

- --
frigidcode.com
theologia.indicium.us
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPOvdfAAoJEI2DxlFxTtgd+B0IAI7tv0C7n3XmqISv+Isv/roM
eytXsiP0kjl/2QHTC8xQYFXtlArRE5dCYAgKSj59RkHeS8Sl1NO9lQ6u1u9nEEVK
g+K8f19TxWGDVsdUt/40avCUB34YiN4bHP5UzSzFKc4g4i6KRQuH3Rl8pyIs61WB
HpKE/dZj65TfLv3zZgN97SZvB5PlGhUPMg5Q3NXZPGwWxwf7XzC7y6YwihkXK3+i
kAcVMuRO1dW1GsYhr7OVg5hFKQ7vsE7FDokXgiD51I8TofooqeMmA4RqfM99mrwc
TGmi+ZG+hAG1o1SDCn6pePVZPgMM1JWUuuVeu1MY9YDb4o4fYUOSbmL/Nx+c2Is=
=oGLg
-----END PGP SIGNATURE-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Feb 14 15:05:20 2012

This archive was generated by hypermail 2.1.8 : Tue Feb 14 2012 - 15:05:20 AKST