[Info-vax] [OT] Zero trust software, was: Re: Rethinking DECNET ?
Bill Gunshannon
bill at server3.cs.scranton.edu
Wed Sep 3 14:16:01 EDT 2014
In article <lu7df0$nvn$1 at dont-email.me>,
Stephen Hoffman <seaohveh at hoffmanlabs.invalid> writes:
> On 2014-09-03 15:34:30 +0000, JF Mezei said:
>
>> On 14-09-03 08:38, Bill Gunshannon wrote:
>>
>>> My private certificates provide much more security because I can be
>>> certain I haven't given them to any third parties.
>>
>> But you have no defence against a malicious site redirecting DNS to
>> their site and using their own self signed certificate to impersonate
>> your site fully.
>
> If the initial self-signed root certificate load is loaded and
> correctly trusted and/or if the self-signed leaf certificate is loaded
> using a trusted path, you're secure.
>
>> When your certificate is "registered" with an authority, there is
>> confidence that when someone does https://www.chocolate.com , they will
>> get to YOUR site and if someone tried to hijack your site, browsers
>> will warn the end user that the certificate presented by the "new" site
>> is invalid.
>
> If you're running an ecommerce site and have no control over the clients, sure.
Except that recent news has shown that if you were using VeriSign certs
you have already been compromised while holding on to a false trust of
the person you paid good money to for that ttrust.
>
> If you're doing what Bill is likely doing here and what other folks are
> definitely doing with self-signed certificates, Bill is correct.
We use them on our webpage mostly to allow an encrypted link to stop
casual monitoring of things like email traffic from our web interface.
The students use them to make it easier to use GIT for their school
projects. If I were doing business and only had to communicate with
a small fixed number of known contacts I would do the same I am doing
now. If I had to deal with some unknown number of unknown clients I
would make sure that no personal or business communications were done
until we had a chance to establish that relationship so I could provide
them with a valid certificate via a secure channel. I would not pay
some third party for security when I have no reason to trust them in the
first place.
bill
--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
billg999 at cs.scranton.edu | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
More information about the Info-vax
mailing list