[Info-vax] forum.vmssoftware.com/
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Mon Sep 11 13:58:27 EDT 2023
On 2023-09-11, Johnny Billquist <bqt at softjar.se> wrote:
> On 2023-09-11 18:09, David Wade wrote:
>>
>> How else would you arrange things?
>
> That is a good question. But Bill still have a point. Why should I trust
> some random company just because they say so?
>
You already decided to trust the company when you decided to visit it.
The certificate is a way of checking that the company you are visiting
is really the company you think it is.
Also, the chain of trust does not start with a random company, but with
the root certificates in your own web browser. (And yes, that chain _can_
be compromised if an attacker is determined and resourceful enough).
>>
>> Well as an end user I don't have a certificate. When I accept an SSL
>> session I still trust in the certificate owner and the certificate
>> issuers i.e. the web site to keep their private keys private.
>
> And the issuer can potentially issue a certificate for that site or item
> to anyone. You just have to trust that they don't.
>
And when that happens (and it does sometimes happen), that issuer has just
committed suicide if it can be shown to be incompetence on the part of the
issuer. CAs have been dropped in the past from the major web browsers
because of this, but I can't remember the details.
(Other possibilities include a nation-state attack with a vector the issuer
could not reasonably have been aware of).
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list