[TriLUG] CA Cert Usefulness
Brian McCullough via TriLUG
trilug at trilug.org
Sun Jul 4 19:51:10 EDT 2021
On Sun, Jul 04, 2021 at 05:22:47PM -0400, Triangle Linux Users Group discussion list wrote:
>
> >Simply go to CAcert.org, look at the menu that is shown on the right
> >side, and find the item, the fourth one, labelled Root Certificate.
>
> Since CAcert.org's site hosts the root certificate files, and because their
> site uses a CAcert certificate itself, this is the MOTHER OF ALL self-signed
> certificates! It's just ASKING for a man-in-the-middle attack.
>
> Unlike other sites' self-signed certificates, this one not only grants you
> access to their site, but also to any site signed by that root certificate,
> since you're installing it directly into your browser's root cert store.
Perhaps I am missing something here, and I probably am, but nobody can
sign anything using these root certificates because these are only the
public parts of the standard X.509 certificate pair.
If you think that replacing the root key with your own ( faking the
web site perhaps ) would be practical, that would only be good for
someone who has never had a CAcert key before. Anyone who has existing
certicates from CAcert would instantly know that the web site was false.
Not being expert in this field, I expect to be proven wrong.
> This seems to me like a Supremely Bad Idea???.
>
> One would think that for their own site, they would use a certificate that
> is signed by somebody else -- ANYBODY ELSE -- just to maintain some level of
> trust for something as important as a root certificate that you're about to
> install on your browser. But then again, that would show a lack of faith in
> their mission, wouldn't it?
>
> What a conundrum!
>
> Alan
Brian
More information about the TriLUG
mailing list