Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Why the dislike of X.509?

The part I don't get is the claim that OpenVPN is vulnerable because the
public infrastructure that OpenVPN DOES NOT USE is vulnerable.

On Mon, Aug 25, 2014 at 1:53 PM, Bill Ricker <bill.n1vux at> wrote:

> On Mon, Aug 25, 2014 at 1:22 PM, Richard Pieri <richard.pieri at>
> wrote:
> > It's not that I hate OpenVPN. It's that I hate key escrow systems. Hated
> > them since the early 1990s. I hate them because they're single points of
> > compromise for entire systems. I hate them because compromise is
> > undetectable by users.
> It's not that X.509 file format is the problem per se, it's the
> browser Root CA infrastructure that has been built upon it, that is
> used by most non-browser SSL apps too.
> In the Public CA infrastructure,  most any sub-CA cert signed by any
> cert traceable to any browser Root CA can issue a MITM cert to
> impersonate any specific FQDN or *.someone.TLD .  If the system was
> fit for purpose, should the Hong Kong Postal Authority or the
> stolen/compromised CA key be able to issue * certs that are
> trusted?  No. As is, would you know if they did? Not immediately,
> maybe never.
> Combine that with the weak nature of DNS and BGP security and any
> sufficiently advanced opponent -- either state-sponsored or
> organized-crime -- can beat SSL, at least against targeted or regional
> users.
> [ Add in how we like URL shorteners with cutely irrelevant 2L national
> TLDs like .LY .IE .US .CO .NU .TV that are property of governments
> that might be either amenable to official or corrupt requests, and
> it's only easier to divert traffic. ]
> Unpatched systems might still accept cancelled compromised-CA-key
> signed forgeries today.
> (The CRL won't save them, it can be blocked by an aggressive adversary
> with local or regional DNS/BGP poisoning ability, which is needed for
> most MITM anyway ! )
> --
> Bill Ricker
> bill.n1vux at
> _______________________________________________
> Discuss mailing list
> Discuss at

John Abreau / Executive Director, Boston Linux & Unix
Email jabr at / WWW / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /