[Discuss] Why the dislike of X.509?
markw at mohawksoft.com
markw at mohawksoft.com
Mon Aug 25 14:20:16 EDT 2014
You are talking about browser fuckary, not openvpn. Openvpn uses the
hierarchical PKI of x509, but has no default "trusted" CAs.
x509 is a pretty workable system (I refuse to call it "good.")
> On Mon, Aug 25, 2014 at 1:22 PM, Richard Pieri <richard.pieri at gmail.com>
> wrote:
>> It's not that I hate OpenVPN. It's that I hate key escrow systems. Hated
>> them since the early 1990s. I hate them because they're single points of
>> compromise for entire systems. I hate them because compromise is
>> undetectable by users.
>
> It's not that X.509 file format is the problem per se, it's the
> browser Root CA infrastructure that has been built upon it, that is
> used by most non-browser SSL apps too.
>
> In the Public CA infrastructure, most any sub-CA cert signed by any
> cert traceable to any browser Root CA can issue a MITM cert to
> impersonate any specific FQDN or *.someone.TLD . If the system was
> fit for purpose, should the Hong Kong Postal Authority or the
> stolen/compromised CA key be able to issue *.BLU.org certs that are
> trusted? No. As is, would you know if they did? Not immediately,
> maybe never.
>
> Combine that with the weak nature of DNS and BGP security and any
> sufficiently advanced opponent -- either state-sponsored or
> organized-crime -- can beat SSL, at least against targeted or regional
> users.
>
> [ Add in how we like URL shorteners with cutely irrelevant 2L national
> TLDs like .LY .IE .US .CO .NU .TV that are property of governments
> that might be either amenable to official or corrupt requests, and
> it's only easier to divert traffic. ]
>
> Unpatched systems might still accept cancelled compromised-CA-key
> signed forgeries today.
> (The CRL won't save them, it can be blocked by an aggressive adversary
> with local or regional DNS/BGP poisoning ability, which is needed for
> most MITM anyway ! )
>
> --
> Bill Ricker
> bill.n1vux at gmail.com
> https://www.linkedin.com/in/n1vux
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list