Conversation

Notices

1. Embed this notice
   feld (feld@friedcheese.us)'s status on Thursday, 06-Mar-2025 07:19:38 JST feld
   I had a feeling the warning message that FreeBSD isn't responsible for what's in Mozilla's trusted roots would come back to bite us
   • Doughnut Lollipop 【記録係】:blobfoxgooglymlem: likes this.
   • Embed this notice
     Fish of Rage (sun@shitposter.world)'s status on Thursday, 06-Mar-2025 07:21:27 JST Fish of Rage

     in reply to
     @feld It sucks that in 30 years we still haven't normalized anything better than "here's a hundred certificates that your system trusts to issue a certificate for anything."
   • Embed this notice
     feld (feld@friedcheese.us)'s status on Thursday, 06-Mar-2025 07:23:28 JST feld

     in reply to

     • Fish of Rage
     @sun well there is something slightly better but it doesn't help for this situation: you can generate root or intermediate signing certs that are restricted to a list of domains they're authorized to generate certificates for.
     
     Obviously that doesn't scale to the whole internet, but it does make it possible for you to install a root CA from me that won't allow me to abuse it and MITM all your traffic
   • Embed this notice
     Jonah Aragon (jonah@mastodon.neat.computer)'s status on Thursday, 06-Mar-2025 07:32:33 JST Jonah Aragon

     in reply to

     • Fish of Rage

     @feld @sun has this ever been used or supported by anything?

     Maybe this has changed by now, but a very long time ago I was looking into creating a CA with Name Constraints for opennic.org domains, and at the time virtually no browsers or SSL implementations recognized Name Constraints at all 😔

   • Embed this notice
     Fish of Rage (sun@shitposter.world)'s status on Thursday, 06-Mar-2025 07:32:33 JST Fish of Rage

     in reply to

     • Jonah Aragon
     @jonah @feld I think unfortunately so long as you have one unrestricted cert on your system anyway it's the weakest link. But at least you wouldn't have a dozen of them I guess.