[Info-vax] forum.vmssoftware.com/

[Johnny Billquist]

On 2023-09-11 18:09, David Wade wrote:
> On 11/09/2023 15:59, bill wrote:
>> On 9/11/2023 10:06 AM, Johnny Billquist wrote:
>>> On 2023-09-11 10:02, David Wade wrote:
>>>> On 11/09/2023 03:34, Arne Vajhøj wrote:
>>>>> On 9/10/2023 9:56 PM, Arne Vajhøj wrote:
>>>>>> There is something going on with that site.
>>>>>>
>>>>>> I tried again.
>>>>>>
>>>>>> FF gives cert revoked every time now.
>>>>>>
>>>>>> Chrome works. And say that cert expire Tuesday, September 19, 2023 
>>>>>> at 7:59:59 PM.
>>>>>
>>>>> I tried via work.
>>>>>
>>>>> Chrome works.
>>>>>
>>>>> FF does not work but gives a different error:
>>>>>
>>>>> "Bad Server Certificate" and certificate expiration is 11-Nov-2284 
>>>>> 07:08:23.
>>>>>
>>>>> WTF??
>>>>>
>>>>> Arne
>>>>>
>>>>>
>>>> Every certificate contains a URL for a certificate revocation list 
>>>> (CRL). So if a certificate is compromised, for example because its 
>>>> private key is stolen, it can be revoked.
>>>
>>> What kind of broken scheme is that? You get an URL and are supposed 
>>> to check if something is ok based on this? How hard would it be to 
>>> direct that to somewhere else and fake things?
>>>
>>>> What you are seeing is the fact that Chrome and Edge don't check the 
>>>> CRL but FF does
>>>
>>> Which is bad, but also shows how much you can trust certificates or 
>>> sites, based on your browser approving of them.
>>>
>>
>> On this whole certificate thing.  I have never understood why I am
>> expected to trust a certificate issued by someone I don't know and
>> have no reason to trust in the first place.
>>
> 
> How else would you arrange things?

That is a good question. But Bill still have a point. Why should I trust 
some random company just because they say so?

>> If you think that certificate someone gave you is really secure take
>> a look at recent papers about a safe manufacturer who gave the
>> government a code that opens every safe they have sold.  Are you
>> sure there isn't a back door for your certificate? 
> 
> Look at the uproar in the UK when the government recently asked for 
> this. If there were back doors the bad guys would have figured them out 
> and the world would be a different place.

How do you know they don't exist, and bad guys already have figured them 
out? It's not exactly something anyone would want to admit.

> Consider the case of TSA locks on suitcases. Its now totally pointless 
> locking a bag or case on a USA flight as every scroate owns a set of TSA 
> keys and so both the good guys and the bad guys can get in.

Those locks have never been about safety. Or did you really think that 
noone could open your suitcase and get to the content because you locked it?

Those locks are all about not having suitcases accidentally open up. 
Having a 3-digit combo is just making it look fancy. They are already 
extremely easy to pick.

But TSA don't care. And if you have one without the TSA bypass, they'll 
just break your lock to check inside. Which would you prefer? That they 
can open without damage, or open with damage?

>> Do you trust that
>> the issuer wouldn't give it to someone other than you?
>>
> 
> Well as an end user I don't have a certificate. When I accept an SSL 
> session I still trust in the certificate owner and the certificate 
> issuers i.e. the web site to keep their private keys private.

And the issuer can potentially issue a certificate for that site or item 
to anyone. You just have to trust that they don't.

> The issuer can give the rest of my certificate to the world. Every web 
> site does that whenever you initiate an SSL session. What they don't 
> give out is the associated private key, the secret part of the exchange.
> 
> The certificate issuer can't give that out, they never have it, is never 
> seen by the certificate issuer so they can't give it to any one else. Of 
> course if some one could determine my private key from my public key 
> then the could duplicate the certificate. This means as computing speeds 
> advance, the key lengths need to increase....

It all boils down to the CA certificates. Because a CA can issue a 
trusted certificate for any site. The owner of the site can't do 
anything about that.

   Johnny