[liberationtech] self signing certs by default

John Adams jna at retina.net
Fri Mar 14 14:45:01 PDT 2014 

You misunderstand the signing practice if you think this is a good idea.

Granted, it provides a low level of encryption for clients but it does not provide Non-repudiability to those users, opening them up to MitM attacks.

Sent from my iPhone

> On Mar 14, 2014, at 16:35, Guido Witmond <guido at witmond.nl> wrote:
> 
>> On 03/14/14 19:56, Julian Oliver wrote:
>> ..on Fri, Mar 14, 2014 at 10:46:30AM -0700, Lucas Gonze wrote:
>>> Let's say web servers auto generated self-signed certificates for any
>>> domain that didn't supply its own certificate, likely one from an authority.
>>> 
>>> What that would accomplish is to make the stream unreadable over the wire,
>>> unless the attacker was willing and able to do an MITM with their own auto
>>> generated self-signed certificate.
>>> 
>>> It would not be hard to do that MITM, but it would be orders of magnitude
>>> more expensive than copying unencrypted bytes off the router. It would not
>>> be practical to do the MITM against a large portion of traffic. The
>>> attacker would have to pick their targets.
>> 
>>> 
>>> Thoughts?
> 
>> 
>> It would be good if Debian and other popular GNU/Linux LAMP distributions made
>> OpenSSL/TLS key generation (and set up of a VirtualHost template for :443) an
>> encouraged option during an Apache installation (OpenSSL is a dependency
>> anyway). It could be a simple walkthrough with Qs for CN and admin email,
>> abstracting over the classic and ungainly: 
>> 
>>    openssl req -new -x509 -days 365 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key
> 
> One could also automatically derive the DNSSEC-DANE TLSA record from
> that server certificate and mail it to the sysadmin. Include a paragraph
> that explains that by publishing that record, the site has stronger
> protections against MitM-attacks than possible with CA-bought certificates.
> 
> (the downside is that user need to install the Extended-DNSSEC-Validator
> plug in).
> 
> 
> 
> Regards, Guido.
> 
> -- 
> Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.

More information about the liberationtech mailing list