lkpour.blogg.se - Cpanel whm how to enable tls v1.2

For example, when deciding if a particular certificate is trusted, you could look at the date. Bhd.).īut, the decision does not have to be binary. I agree with you that CAs can get killed only in extreme cases (e.g., DigiNotar and DigiCert Sdn. My point there was that CAs who have a significant revenue stream from issuing certificates were more likely to pay attention, provide better service as well as better security. I think you should point this out in your document :-) I think browser vendors are equally to blame. Personally I think CAs are a disgrace to the security community.

Why do browser vencors accept CAs that are willing to generate private keys and CSRs for you? That's insane! Which browser vendor has set a date for requiring that CAs by default publish certificates in something like certificate transparency? Why is this document even required if CAs and browser vendors did their part of the job by setting the bar just a little higher than at ground level? Why do browser vendors accept root CAs where there is no follow up service that alert the buyer if the web site is later not configured according to best practices? Why do browser vendors accept root CAs that do not monitor the web sites they issue certificates to? The alcohol is the same.Īs an example, you mention that it can be hard to know when a certificate is about to expire. Some people like expensive whiskey, others cheap. Pricing differences between CAs are much better explained by branding theories.

Pulling a CA root is a binary operation, thus CAs can get away with pretty lousy security and only in extreme cases do they get pulled. CAs where things go wrong are not punished by browser vendors.

"CAs whose activities constitute a substantial part of their business have everything to lose if some-thing goes terribly wrong" I think you are too kind in describing how the CA market works:

Thanks for flying air /r/netsec || CISO AMA w/ Michael Coates & Rich Mason.

r/vrd - Vulnerability Research and Development r/rootkit - Software and hardware rootkits r/REMath - Math behind reverse engineering r/netsecstudents - netsec for noobs students r/Malware - Malware reports and information r/crypto - Cryptography news and discussion

We're also on: Twitter, Facebook, & Google + Related Reddits » Our fulltext list of prohibited topics & sources Social No populist news articles (CNN, BBC, FOX, etc.) » Our fulltext discussion guidelines Prohibited Topics & Sources » Our fulltext content guidelines Discussion Guidelinesĭon't complain about content being a PDF.įollow all reddit rules and obey reddiquette. Hiring posts must go in the Hiring Threads. Non-technical posts are subject to moderation. r/netsec only accepts quality technical posts. "Give me root, it's a trust exercise." Featured Posts A community for technical news and discussion of information security and closely related topics.