From owner-freebsd-ports@FreeBSD.ORG Sat Jun 2 22:53:53 2012 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3F89106566B for ; Sat, 2 Jun 2012 22:53:53 +0000 (UTC) (envelope-from code@apotheon.net) Received: from oproxy1-pub.bluehost.com (oproxy1.bluehost.com [IPv6:2605:dc00:100:2::a1]) by mx1.freebsd.org (Postfix) with SMTP id 950A38FC08 for ; Sat, 2 Jun 2012 22:53:53 +0000 (UTC) Received: (qmail 19343 invoked by uid 0); 2 Jun 2012 22:53:53 -0000 Received: from unknown (HELO box543.bluehost.com) (74.220.219.143) by oproxy1.bluehost.com with SMTP; 2 Jun 2012 22:53:53 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=apotheon.net; s=default; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=P21nM+iJ0pFjUBxzotrHdq/WWWUpeR9QuGe/BxxXpyg=; b=srlWBvsBxMvSrQY4Sdq2T4M2a9ywMoNvgBGxj25VEvKh3Wc3HC3zgAk9ol9b4dAe4zhmepOk4fRBrG1s3zBoNYHceun0IXn8p6E7Qh07txD7K9lJ8m9RRgfvzDngOjiG; Received: from [63.253.113.170] (port=38548 helo=localhost) by box543.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1SaxCi-0002eV-KI for freebsd-ports@freebsd.org; Sat, 02 Jun 2012 16:53:52 -0600 Date: Sat, 2 Jun 2012 16:53:35 -0600 From: Chad Perrin To: freebsd-ports@freebsd.org Message-ID: <20120602225148.GA8486@hemlock.hydra> References: <20120602122658.0f86debc@scorpio> <20120602140703.004264ea@scorpio> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20120602140703.004264ea@scorpio> User-Agent: Mutt/1.5.21 (2010-09-15) X-Identified-User: {2737:box543.bluehost.com:apotheon:apotheon.net} {sentby:smtp auth 63.253.113.170 authed with code@apotheon.net} Subject: Re: Please rebuild all ports that depend on PNG X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jun 2012 22:53:53 -0000 On Sat, Jun 02, 2012 at 02:07:03PM -0400, Jerry wrote: > On Sat, 2 Jun 2012 17:34:59 +0100 Chris Rees articulated: > > > >It just means he hasn't bought a certificate- no less trustworthy than > >vanilla (non-SSL) http. > > IMHO, if you are going to use "https" then you should have a proper SSL > certificate. A self-signed one means virtually nothing. If the web site > operator is not going to purchase an authentic certificate they why > use SSL at all? Just my 2¢ on the matter. 1. SSL means encrypted, regardless of who signs the certificate. 2. Using a known CA for certificate signing means a third party with enough clout to get added to a list of known CAs vouches for the certificate (or that someone else has somehow compromised that third party's cert signing resources). 3. Many "trusted" widely-known CAs have questionable policies with regard to certificate signing, and often use very weak ciphers for cert signing. On several occasions, government agencies and malicious security crackers have been found using bogus certs that verify as signed by "legitimate" CAs. 4. Regardless of who signs a cert, you still have to trust the site operators to some extent, because the encryption certainly doesn't stop *them* from getting the information you're sending, so in principle a self-signed cert is not in any way an indication of any lesser trustworthiness. 5. As long as you can get trustworthy confirmation of the provenance of a given cert's signature, you can verify the cert as authentic for the site in question, subject to the limitations of the technology used. The not-quite-obvious (to many, at least) consequence of the above is that the entire PKI system used by CAs for SSL is what amounts to a vacant lot scam. This is where a vacant parking lot -- owned by someone who is not making (much) use of it on a given occasion -- is "claimed" by someone wearing something like a valet uniform, who takes money in exchange for parking someone's car in the lot but actually has no relationship with the lot owner at all. The result is that people parking in the lot are being charged money for the promise of something (official, property-owner permission to park there, plus responsible care for the vehicles in question) that to some extent the person charging the money is not in a position to offer. The analogous condition in this case is that the well-known CAs are promising security and privacy that can be gotten by other, cheaper means, but to some extent do not even provide as high quality a guarantee as they would like you to think. Alternate verification infrastructures such as Monkeysphere and (my favorite, in terms of design principles) Perspectives provide roughly equivalent security value, and if they reach a threshhold of user density would exceed the security value of CA-signed certificates as a basis for verification. In addition to this, simply posting cert signature data publicly for out-of-band comparison could greatly enhance the verifiability of SSL site certificates, as with an OpenPGP public key. In fact, many of the weaknesses of SSL systems as currently designed could be obviated by having used OpenPGP as the basis of the system rather than creating this whole PKI system for the sole purpose of making corporate CAs seem "necessary" as imaginary authorities who claim to be able to provide special "security" guarantees. So . . . your opinion may be that a self-signed sertificate "means virtually nothing", but security in the real world does not operate on unfounded opinions. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]