public inbox for nncp-devel@lists.cypherpunks.ru
Atom feed
From: Sergey Matveev <stargrave@stargrave•org>
To: nncp-devel@lists.cypherpunks.ru
Subject: Re: Website TLS certificates
Date: Wed, 21 Jul 2021 22:32:56 +0300 [thread overview]
Message-ID: <YPh2cwRlnbZ/JVE+@stargrave.org> (raw)
In-Reply-To: <20210721184746.c5bch4tqrtrshzla@faeroes.freeshell.org>
[-- Attachment #1: Type: text/plain, Size: 2052 bytes --]
Greetings!
*** Jonathan Lane [2021-07-21 18:47]:
>Is there a plan to get proper SSL certificates for the website? I can't
>access them from either w3m or Firefox on my machine because of trust
>issues.
I do not know any free CAs that are both can by trusted by me and major
OS/browser vendors. And definitely won't play in those business (not
security) games. Major OS/browser vendors, being US-based, were forced
to reject/remove all free CAs that are not under USA/NATO control to
create their own one (Let's Encrypt) under "proper" jurisdiction. Great
and very clever move indeed, because now the most part of the Web is
authenticated by single centralized USA/NATO-control entity.
Previously I used well-known CACert.org, but because of COVID they were
not able to access their datacenter to restore the interrupted
workability, so I was forced to choose another CA. Even with CACert.org
people were unsatisfied, because only minor OSes provide its certificate
out of box.
So what is the choice?
* Do not use TLS -- but certificate pinning could be done and it could
be useful for security
* Do not use X.509 at all, but TLS relies on it.
* Paid ones -- no way. They are not about security, but business.
* Let's Encrypt -- clearly it can be used for authentication forging.
So why bother? Encryption could be done anyway.
* Other CAs, like CACert.org -- majority of users will be still
unsatisfied and CACert.org was down for a very long time.
* Self-signed certificate? Unlike Let's Encrypt with its very short
lived certificates, that practically forbids (harms very much)
certificate pinning usage, long-lived self-signed ones are much more
convenient with TOFU+pinning usage.
* Issued by own CA? The same as self-signed, but just single convenient
trust anchor for my various resources. My ca.cypherpunks.ru is also
signed with my PGP key, having some Web-of-Trust paths.
--
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263 6422 AE1A 8109 E498 57EF
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-07-21 19:33 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-19 16:57 [EN] NNCP 7.4.0 release announcement Sergey Matveev
2021-07-21 18:47 ` Jonathan Lane
2021-07-21 19:13 ` John Goerzen
2021-07-21 19:32 ` Sergey Matveev [this message]
2021-08-03 15:58 ` Website TLS certificates John Goerzen
2021-08-03 18:02 ` Sergey Matveev
2021-08-04 2:46 ` John Goerzen
2021-08-04 12:51 ` Sergey Matveev
2021-08-04 18:54 ` Jonathan Lane
2021-08-04 19:24 ` Sergey Matveev
2021-08-04 20:16 ` Sergey Matveev
2021-09-02 8:59 ` Sergey Matveev