[TriLUG] CA Cert Usefulness
Alan Porter via TriLUG
trilug at trilug.org
Sun Jul 4 17:22:47 EDT 2021
> Simply go to CAcert.org, look at the menu that is shown on the right
> side, and find the item, the fourth one, labelled Root Certificate.
Since CAcert.org's site hosts the root certificate files, and because
their site uses a CAcert certificate itself, this is the MOTHER OF ALL
self-signed certificates! It's just ASKING for a man-in-the-middle
attack.
Unlike other sites' self-signed certificates, this one not only grants
you access to their site, but also to any site signed by that root
certificate, since you're installing it directly into your browser's
root cert store.
This seems to me like a Supremely Bad Idea™.
One would think that for their own site, they would use a certificate
that is signed by somebody else -- ANYBODY ELSE -- just to maintain some
level of trust for something as important as a root certificate that
you're about to install on your browser. But then again, that would
show a lack of faith in their mission, wouldn't it?
What a conundrum!
Alan
More information about the TriLUG
mailing list