upvote

points

by MarleTangible8 hours ago |
comments
upvoteby lesostep11 minutes ago|
next
[-]
The problem is that finding a root source of trust aren't easy this days. LE was neutral, now nobody is.

Russian government issued their new root certificate years ago.

Nobody trusted it enough to request a certificate from them or install it on their computers. Including almost all of the russian residents.

If Let's Encrypt enforces the rules, as written in pdf, a lot of people would lose a choice.

Frankly, even publishing a statement like that would make the scales of trust tip for some.

reply
upvoteby happosai1 hours ago|
prev|
next
[-]
It is such a great improvement that ISPs cannot eavesdrop us anymore... only for everyone to terminate TLS at cloudflare so they (and thus US government) can now eavesdrop everyone.
reply
upvoteby account424 hours ago|
prev|
next
[-]
Do we also need to put all our letters into strongboxes before we send them?

Maybe we should have solve the ISP snooping problem by making that illegal instead.

reply
upvoteby theamk3 hours ago|
parent|
[-]
This just leaves every single public Wifi network - which used to mess with traffic a lot
reply
upvoteby cyanydeez2 hours ago|
parent|
[-]
Guys, we live in a society.
reply
upvoteby Parodper5 hours ago|
prev|
next
[-]
We could, and should, switch to DANE. Or else, switch to how X.509 was supposed to be used, with each country running a CA for their nationals.
reply
upvoteby theamk4 hours ago|
parent|
[-]
I trust governments much less that a conglomerate of competing corporations.

With all the problems with Web PKI, at least the bad actors are getting distrusted, and this provides a very strong enforcement on the rest. And Certificate Transparency makes sure the mis-issuance would be caught. It is not perfect by any means, but things are getting better.

With DANE (or other country-issued certificates), every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. (In the past I'd say that only countries like Russia would do it.. but with today's climate, I am sure both US and many European countries will do that too)

reply
upvoteby Parodper3 hours ago|
parent|
next
[-]
> every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse.

Countries already have CA that issue certificates with more legal force than a handwritten signature. I can open a bank account, pay my taxes and sign up to all government services. But I can't use them for a webpage.

> With DANE (or other country-issued certificates)

DANE isn't a country-issued certificate. It's a scheme where you store your public keys on DNS records. Of course, now we have the issue that DNSSEC (signed DNS records) isn't widespread and the whole issue with DNS registries.

reply
upvoteby account424 hours ago|
parent|
prev|
[-]
Pretty much any big government has a CA they can exert direct control over whenever needed.
reply
upvoteby theamk4 hours ago|
parent|
[-]
Maybe, but then can only do it once. Then they get caught, and their CA is distrusted. See Diginotar [0] for example.

And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party.

If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country?

[0] https://blog.mozilla.org/security/2011/09/02/diginotar-remov...

reply
upvoteby Fnoord2 minutes ago|
parent|
next
[-]
[delayed]
reply
upvoteby JumpCrisscross2 hours ago|
parent|
prev|
next
[-]
Side note: “DigiNotar BV was a Dutch certificate authority from 1998 to 2011. It was acquired in January 2011 by VASCO and subsequently declared bankrupt in September of the same year” [1].

I didn’t realize the slapped their face on the pavement right after being acquired.

[1] https://en.wikipedia.org/wiki/DigiNotar

reply
upvoteby 2 hours ago|
parent|
prev|
[-]
deleted
reply
upvoteby thaumasiotes2 hours ago|
prev|
[-]
> I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them.

Note that phones already try to prevent you from using a certificate that you provide yourself.

reply