Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Why the dislike of X.509?



The part I don't get is the claim that OpenVPN is vulnerable because the
public infrastructure that OpenVPN DOES NOT USE is vulnerable.


On Mon, Aug 25, 2014 at 1:53 PM, Bill Ricker <bill.n1vux at gmail.com> wrote:

> On Mon, Aug 25, 2014 at 1:22 PM, Richard Pieri <richard.pieri at gmail.com>
> wrote:
> > It's not that I hate OpenVPN. It's that I hate key escrow systems. Hated
> > them since the early 1990s. I hate them because they're single points of
> > compromise for entire systems. I hate them because compromise is
> > undetectable by users.
>
> It's not that X.509 file format is the problem per se, it's the
> browser Root CA infrastructure that has been built upon it, that is
> used by most non-browser SSL apps too.
>
> In the Public CA infrastructure,  most any sub-CA cert signed by any
> cert traceable to any browser Root CA can issue a MITM cert to
> impersonate any specific FQDN or *.someone.TLD .  If the system was
> fit for purpose, should the Hong Kong Postal Authority or the
> stolen/compromised CA key be able to issue *.BLU.org certs that are
> trusted?  No. As is, would you know if they did? Not immediately,
> maybe never.
>
> Combine that with the weak nature of DNS and BGP security and any
> sufficiently advanced opponent -- either state-sponsored or
> organized-crime -- can beat SSL, at least against targeted or regional
> users.
>
> [ Add in how we like URL shorteners with cutely irrelevant 2L national
> TLDs like .LY .IE .US .CO .NU .TV that are property of governments
> that might be either amenable to official or corrupt requests, and
> it's only easier to divert traffic. ]
>
> Unpatched systems might still accept cancelled compromised-CA-key
> signed forgeries today.
> (The CRL won't save them, it can be blocked by an aggressive adversary
> with local or regional DNS/BGP poisoning ability, which is needed for
> most MITM anyway ! )
>
> --
> Bill Ricker
> bill.n1vux at gmail.com
> https://www.linkedin.com/in/n1vux
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org