oss-sec mailing list archives
Re: HTTPS
From: Jeremy Stanley <fungi () yuggoth org>
Date: Thu, 15 Aug 2013 13:34:57 +0000
On 2013-08-15 14:31:19 +0400 (+0400), gremlin () gremlin ru wrote: [...]
Unlike SSH, the HTTPS clients (which usually are the browsers) do not cache the visited servers' certificates, fully relying on issuing CA's honesty. This introduces a risk of false sence of security. Hmmmm... It seems that keeping self-signed certificates is even more safe than relying on "trusted" CAs...
[...]
Dragging this back onto the original topic, hopefully, the above
concerns are far less relevant for a tool focused on downloading
packages from a single site. The gem utility could absolutely pin
its validation expectations to a single signing authority or even to
a single server certificate (and make it a configurable list to
support private package repositories and mirrors where desired). The
transport security implications for a system with basically one
distribution endpoint offer significantly different solutions than a
many-to-many association like Web browsing.
--
{ PGP( 48F9961143495829 ); FINGER( fungi () cthulhu yuggoth org );
WWW( http://fungi.yuggoth.org/ ); IRC( fungi () irc yuggoth org#ccl );
WHOIS( STANL3-ARIN ); MUD( kinrui () katarsis mudpy org:6669 ); }
Current thread:
- Re: HTTPS (was: rubygems insecure download (and other problems)), (continued)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Donald Stufft (Aug 14)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Pavel Labushev (Aug 16)
- Message not available
- Re: HTTPS Kurt Seifried (Aug 21)
- Re: HTTPS Pavel Labushev (Aug 22)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Donald Stufft (Aug 14)
- Re: HTTPS Kurt Seifried (Aug 15)
- Re: HTTPS gremlin (Aug 15)
- Re: HTTPS Jeremy Stanley (Aug 15)
- Re: HTTPS gremlin (Aug 16)
- Re: HTTPS Kurt Seifried (Aug 15)