Certificate geekery
Hal Murray
halmurray at sonic.net
Fri Dec 8 04:26:51 UTC 2023
Thanks.
> If that's a thing you want to do on your system, you can. IMHO, it's not
> something that we particularly need to promote, nor would I find it
> desirable operationally. If my NTP server changes their CA provider, then I
> won't be able to talk to them any more until I take manual action to adjust
> the pin.
I was assuming there would be a script that would do the work, say run as a
cron job. Probably send you email so you can do the actual edit.
> Yes, that's how the CA ecosystem works. That is absolutely a threat. Keep in
> mind that if a CA gets caught doing that, they will get the CA death
> penalty, ending their money printing business.
Some CAs are run by governments. That area gets messy.
There was a news item recently (month or 3??) about a Russian social media
server located in a German cloud provider that got MITM-ed. The bad guys got
a Let's Encrypt certificate. They could do that by just stealing the IP
Address for a few minutes which only takes one insider at the hosting service.
Researchers Uncover Wiretapping of XMPP-Based Instant Messaging Service
https://thehackernews.com/2023/10/researchers-uncover-wiretapping-of-xmpp.htm
l
I can't tell how paranoid to be. It would be nice if we didn't depend on all
the root certificates.
--
These are my opinions. I hate spam.
More information about the devel
mailing list