BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Why the dislike of X.509?
- Subject: [Discuss] Why the dislike of X.509?
- From: jabr at blu.org (John Abreau)
- Date: Mon, 25 Aug 2014 14:00:15 -0400
- In-reply-to: <CAAbKA3VMpFi37aJ2510XXUYLQu4qEMPYfhDWU6aBd9oXGnTcNw@mail.gmail.com>
- References: <53F9F6B9.4060505@stephenadler.com> <20140824161132.GE14848@randomstring.org> <be314521ab6bebb6add54d706b042f01.squirrel@mail.mohawksoft.com> <53FA1C3B.70908@gmail.com> <53FB19E5.4080602@aeminium.org> <53FB4A5D.2030305@gmail.com> <CA+h9Qs5GnC6d1ejBQC=crtHwxoDiFWo4Kn+xjt0eiA8Kr733_A@mail.gmail.com> <53FB70E6.50706@gmail.com> <CAAbKA3VMpFi37aJ2510XXUYLQu4qEMPYfhDWU6aBd9oXGnTcNw@mail.gmail.com>
The part I don't get is the claim that OpenVPN is vulnerable because the public infrastructure that OpenVPN DOES NOT USE is vulnerable. On Mon, Aug 25, 2014 at 1:53 PM, Bill Ricker <bill.n1vux at gmail.com> wrote: > On Mon, Aug 25, 2014 at 1:22 PM, Richard Pieri <richard.pieri at gmail.com> > wrote: > > It's not that I hate OpenVPN. It's that I hate key escrow systems. Hated > > them since the early 1990s. I hate them because they're single points of > > compromise for entire systems. I hate them because compromise is > > undetectable by users. > > It's not that X.509 file format is the problem per se, it's the > browser Root CA infrastructure that has been built upon it, that is > used by most non-browser SSL apps too. > > In the Public CA infrastructure, most any sub-CA cert signed by any > cert traceable to any browser Root CA can issue a MITM cert to > impersonate any specific FQDN or *.someone.TLD . If the system was > fit for purpose, should the Hong Kong Postal Authority or the > stolen/compromised CA key be able to issue *.BLU.org certs that are > trusted? No. As is, would you know if they did? Not immediately, > maybe never. > > Combine that with the weak nature of DNS and BGP security and any > sufficiently advanced opponent -- either state-sponsored or > organized-crime -- can beat SSL, at least against targeted or regional > users. > > [ Add in how we like URL shorteners with cutely irrelevant 2L national > TLDs like .LY .IE .US .CO .NU .TV that are property of governments > that might be either amenable to official or corrupt requests, and > it's only easier to divert traffic. ] > > Unpatched systems might still accept cancelled compromised-CA-key > signed forgeries today. > (The CRL won't save them, it can be blocked by an aggressive adversary > with local or regional DNS/BGP poisoning ability, which is needed for > most MITM anyway ! ) > > -- > Bill Ricker > bill.n1vux at gmail.com > https://www.linkedin.com/in/n1vux > _______________________________________________ > Discuss mailing list > Discuss at blu.org > http://lists.blu.org/mailman/listinfo/discuss > -- John Abreau / Executive Director, Boston Linux & Unix Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6 PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23 C2D0 E885 E17C 9200 63C6
- References:
- [Discuss] vnc
- From: adler at stephenadler.com (Stephen Adler)
- [Discuss] vnc
- From: dsr at randomstring.org (Dan Ritter)
- [Discuss] vnc
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] vnc
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] vnc
- From: nuno at aeminium.org (Nuno Sucena Almeida)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: jabr at blu.org (John Abreau)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: bill.n1vux at gmail.com (Bill Ricker)
- [Discuss] vnc
- Prev by Date: [Discuss] Why the dislike of X.509?
- Next by Date: [Discuss] Why the dislike of X.509?
- Previous by thread: [Discuss] Why the dislike of X.509?
- Next by thread: [Discuss] Why the dislike of X.509?
- Index(es):
