I'm not knowledgable enough to engineer a phony-certificate attack; just enough to worry about it. I imagine a user accepting a fraudulent certificate could lead to malware being accepted. Once the user's account is compromised, I've got a much bigger problem than I want to handle. I don't think I'd rather make it any easier for a user to play with certificates. I'm not aware of a real good reason to do that. I'm asking if anyone legitimately has had to, given what BLFS installs.
For example, reading about the CA attacks of 2011, I run into this sort of thing, and there's lots more: "These attacks began with a SQL injection attack against Comodo’s GlobalTrust and InstantSSL databases resulting in the issuance of rogue certificates for addons.mozilla.org, login.skype.com, login.live.com, mail.google.com, google.com, and login.yahoo.com. This was followed by an attack on DigiNotar where over 500 rogue certificates were issued including some wildcard certificates such as *.google.com which allowed the certificate to be used for any google.com site. ... Rogue certificates allow attackers to create illegitimate sites that are indistinguishable from real sites like eBay, Google or PNC because their certificate hierarchy can be validated. Users then will be redirected to such sites through phishing or 'man in the middle' attacks where a compromised host in-between the user and a legitimate site sends traffic to an illegitimate site instead. Some viruses have used rogue certificates to make their content seem legitimate. For example, fake AV, some Zeus variants, Conficker and more recently, Stuxnet and Duqu have used rogue certificates." "NIST's new 'Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance' guidelines bulletin, which was co-authored by Venafi, is a direct response to concerns about how a CA breach could affect agencies and businesses. NIST's guidance bulletin highlights some very specific tasks that IT managers should perform to reduce compromises and how to prepare for a breach, which may be an inevitability, especially in light of past attacks. One of the first recommendations from NIST is to make sure that IT managers fully inventory and track all of the certificates in use, including what authority provided the certificates, what systems use certificates and the issuance and expiration dates of those digital certificates. For many businesses, that simple advice could prevent a tsunami of certificate related failures. Today, most businesses have very poor inventory control over certificates, ..." -- Paul Rogers paulgrog...@fastmail.fm Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://www.fastmail.com - Does exactly what it says on the tin -- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page