Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] [BLU/Officers] update instructions for key signing

On Mon, Sep 17, 2018, 11:27 Dan Ritter <dsr at> wrote:

> > Since my browser now flags non-https sites as "Unsecure," I'd like to
> know
> > how to generate a key to put in my Apache setup which will swing the
> > padlocks shut. I know that it won't be "valid" unless I import the key
> into
> > my browser, but that's a one-time effort and will stop the "unsecure"
> > messages when I ask people to visit my websites.
> >
> > Also, if possible, I'd like to be able to pass out keys for users to use
> in
> > lieu of passwords to access secured areas.
> >
> > Please tell me how to go about that, and thanks in advance.
> The easiest and best thing to do is to get SSL certs from Let's
> Encrypt.
> Everything else is worse and harder.

Correct. Even the US DOD is getting away from self signed certs that have
to be injected or accepted, because that trains users to be too trusting.

The only valid use case for DIY webserver certs are
(a) internal alphatest/Qa sites, which will then scream holy murder if prod
traffic gets misrouted to them;
 (b) closed intranet (no BYOD allowed) where one IT org controls both the
desktops and the webservers, and you install the Corp private selfsigned CA
key into IT release of IE/Edge, FF, Chrome.

Yes, it is in theory possible to distribute keys to authenticate a browser
to the webserver.
Browser side user certs can be useful in a DIY 2FA scheme but I'd not
recommend it as 1FA !!
This may seem like a good idea but doesn't really do what one usually
wants; it turns just their phone or laptop into a large losable 1FA dongle.
Possibly safe only if you control their password and screensaver policy.


BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /