nanog mailing list archives
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
From: Chris Adams <cmadams () hiwaay net>
Date: Tue, 13 Sep 2011 10:24:28 -0500
Once upon a time, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> said:
If you use SSH to connect, and either ignore the "host key has changed" or "authenticity can't be established, continue connecting?" messages, you get what you deserve - those are the *exact* same issues that your browser warns about self-signed certs. And if you *don't* ignore them on SSH - why do you want to ignore them on SSL?
A big difference between SSH keys and SSL certificates is that SSL certs have a built-in expiration date (which is a good thing, as nothing is secure forever). When that expiration date rolls around, the admin may create a new key/cert pair, rather than just renewing the previous cert, which would cause all the visitors that accepted the previous cert to get a new and nastier warning that the cert has changed. How do the visitors know the difference between this case and a hijack/MITM? Certs are almost guaranteed to change over time as technology changes. For example, it used to be common to have 512 bit certs with an MD5 signature hash. Now 1024 bit and SHA1 are the norm, and many are moving to 2048 bit (and some to stronger hashes). Having people get used to periodically accepting a changed cert defeats the purpose of signed certs (and again, effectively breaks SSL). -- Chris Adams <cmadams () hiwaay net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Current thread:
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases, (continued)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tony Finch (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tei (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Brett Frankenberger (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Peter Kristolaitis (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases David Israel (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Chris Adams (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Lou Katz (Sep 14)
- Opta revokes Diginotar TTP license (Was: Microsoft deems all DigiNotar certificates untrustworthy, releases) Jeroen Massar (Sep 14)
- Re: Opta revokes Diginotar TTP license (Was: Microsoft deems all DigiNotar certificates untrustworthy, releases) Always Learning (Sep 14)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Michiel Klaver (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Jima (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Ted Cooper (Sep 13)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Christopher Morrow (Sep 14)