On Mon, Dec 31, 2012 at 9:42 AM, Tobias Klausmann <klaus...@gentoo.org> wrote: > Now before you reply, RTFA. Also note that while my own opinion > on the matter is irrelevant, I _do_ think that his concerns need > to be addressed, particularly the second half of his statement.
SSL Certificate Authorities are a mess. Grab your favorite browser/phone/etc and take a look at the list of trusted authorities and tell me if you have even heard of half of them. If you look at the list on a mobile device that is more than a year old or so most likely it still has the compromised Diginotar certificates still on it, since nobody bothers to update most of these devices after they are sold (one or two brands notwithstanding). Mozilla of course happily packaged the Diginotar certificates because they paid the substantial fee and had the stack of paper that demonstrated that at one point in time they at least had something that resembled secure operations during a cursory audit. They have been steadily blocking providers like CACert for just as long as they had not demonstrated proper security theater. As far as I'm aware, the latter hasn't been handing out certificates for everything from GMail to Hotmail to random hackers. The certificates that Gentoo distributes have at least been vouched for by somebody who is a part of our community, which is more than can be said for most of the upstream certificates. The bottom line is that if you care about security that much, you will de-list all the CAs on your system and do your own audits (routinely), or white-list individual website certificates (again after whatever level of due diligence you feel is appropriate). Perhaps you might even hire somebody to do this work for you, but it will be somebody you actually pay, and who will therefore treat you as a customer. Make no mistake, you are NOT the customer of the CAs in your browser - you are their product, sold to various companies for $200/yr or whatever the going rate is. It really isn't that much different from advertising, if you want to get your message out, then you pay the gatekeepers for the privilege. My suggestion is to leave things alone, and by all means have a disclaimer on the ca-certificates package as Debian does. I'd rather not bundle any certificates than be a party to the hand-over-$10k-for-the-right-to-MITM-random-websites game. Rich
